Aim Security Ltd. today revealed details of the first known zero-click artificial intelligence vulnerability, dubbed “EchoLeak,” which targeted Microsoft Corp.’s 365 Copilot generative AI tool. The vulnerability could have allowed attackers to exfiltrate sensitive internal data without any user interaction.
The vulnerability was discovered in January and promptly reported to Microsoft. Aim Security has disclosed details only now, following Microsoft’s implementation of a fix.
EchoLeak is described by Aim Security as an “LLM Scope Violation.” This refers to scenarios where a large language model can be manipulated to leak information beyond its intended operational context. In this specific instance, the vulnerability involved crafting a malicious email containing particular markdown syntax designed to bypass Microsoft’s Cross-Prompt Injection Attack defenses.
The malicious markdown used reference-style image and link formats. This technique allowed the payload to circumvent Copilot’s sanitization filters, ensuring it remained intact when the AI assistant retrieved and processed the email.
The exploit then leveraged Microsoft’s own trusted domains, such as SharePoint and Teams, which are whitelisted under Copilot’s content security policies. These domains can be used to embed external links or images that automatically trigger outbound requests when rendered by Copilot. Attackers could craft these references to include sensitive data retrieved from Copilot’s context, redirecting the content to a server they controlled.
A critical aspect of EchoLeak identified by Aim’s researchers is its zero-click nature. The attack occurs entirely in the background without any user interaction. Copilot’s automated processing of the email was sufficient to initiate and complete the exploit chain.
Aim Security released a proof-of-concept demonstrating that data such as internal memos, strategic documents, or personal identifiers could be leaked covertly, without any visible notification to the user or system administrators.
Microsoft acknowledged the issue but stated that it had found no evidence of the vulnerability being exploited in the wild.
While the lack of in-the-wild exploitation is positive, the existence of zero-click vulnerabilities in AI services highlights future risks. Cybersecurity experts were not entirely surprised by the emergence of such methods.
Tim Erlin, security strategist at Wallarm Inc., commented, “If you didn’t expect something like this to happen, you haven’t been paying attention. While the specific technique might not have been predictable, the idea that researchers wouldn’t find some kind of meaningful, novel exploit for the ever-expanding AI attack surface is ridiculous. It was bound to happen. Microsoft and the researchers appear to have handled this one well, with responsible disclosure and a fix.”
Ensar Seker, CISO at SOCRadar Cyber Threat Intelligence Inc., warned that the disclosure has “serious implications for NATO, government, defense, healthcare and anyone using enterprise AI assistants: attackers no longer need to compromise user credentials or rely on phishing. They can manipulate a trusted AI interface directly.”
Seker also emphasized that the issue potentially extends beyond Copilot. “What stands out especially is that this isn’t limited to Copilot,” he said. “As Aim Labs warns, any RAG-based agent that processes untrusted inputs alongside internal data is vulnerable to scope violations. This signals a broader architectural flaw across the AI assistant space — one that demands runtime guardrails, stricter input scoping and inflexible separation between trusted and untrusted content.”
