Zero-Click AI Vulnerability Unveils Microsoft 365 Copilot Data Without User Consent

A newly identified attack technique, termed EchoLeak, has been classified as a “zero-click” artificial intelligence (AI) vulnerability that enables malicious actors to exfiltrate sensitive information from Microsoft 365 Copilot’s context without requiring any user interaction.

This critical vulnerability has received the CVE identifier CVE-2025-32711, with a CVSS score of 9.3. It necessitates no user action and has been promptly addressed by Microsoft. To date, there is no evidence to suggest that this vulnerability has been exploited in real-world attacks.

Microsoft’s advisory, published on Wednesday, describes that “AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.” The issue has been incorporated into Microsoft’s Patch Tuesday list for June 2025, bringing the total number of vulnerabilities addressed during this update to 68.

Aim Security, the firm that discovered and reported the vulnerability, characterized it as a case of large language model (LLM) Scope Violation, which facilitates indirect prompt injection, culminating in unintended system behavior.

LLM Scope Violation occurs when encoded instructions from an external source, such as a phishing email, manipulate the AI system into accessing and processing sensitive internal data without explicit user consent or action.

Aim Security asserted that the attack vectors enable attackers to automatically exfiltrate sensitive and proprietary information from the M365 Copilot context, achieving this unnoticed by users and without requiring any specific actions from the victim. The exploit operates even within an interface intended for employee access only.

The attack process unfolds as follows:

• Injection: An attacker forwards a seemingly benign email containing the LLM scope violation exploit to an employee’s Outlook inbox.
• User Query: The user poses a business-related inquiry to Microsoft 365 Copilot (e.g., requests a summary of an earnings report).
• Scope Violation: The Copilot integrates the compromised input with sensitive data through the Retrieval-Augmented Generation (RAG) engine.
• Data Leakage: The sensitive information is leaked to the attacker via URLs shared through Microsoft Teams and SharePoint.

As a zero-click AI vulnerability, EchoLeak presents considerable risks for data exfiltration and potential extortion for motivated attackers. It exemplifies the inherent risks associated with the design of AI agents and chatbots.

The implications of this attack mechanism allow for the unauthorized extraction of the most sensitive data from the current LLM context, effectively turning LLM capabilities against itself. This exploitation does not depend on specific user actions and can be executed in both single-turn and multi-turn interactions.

MCP and Advanced Tool Poisoning

This disclosure coincides with CyberArk’s revelation of a tool poisoning attack affecting the Model Context Protocol (MCP) standard. Dubbed Full-Schema Poisoning (FSP), this technique extends beyond mere tool descriptions to potentially compromise the entire schema.

CyberArk experts highlight that focusing solely on the description field of tools underestimates broader attack surfaces. Every component of the tool schema can serve as an injection point.

The underlying issue originates from MCP’s “optimistic trust model,” which assumes that syntactic correctness equates to semantic safety, trusting that LLMs will adhere to explicitly defined behaviors.

Moreover, TPA and FSP could be repurposed for advanced tool poisoning attacks (ATPA), wherein an attacker could craft a tool with a benign description but present a deceptive error message that lures the LLM into accessing confidential data, such as SSH keys, to resolve the fabricated issue.

As LLM agents grow increasingly sophisticated and autonomous, their engagement with external tools through protocols like MCP will significantly determine their operational safety and reliability. Tool poisoning attacks, particularly advanced types like ATPA, expose critical vulnerabilities in existing implementations.

Given that MCP facilitates consistent interactions between AI agents, tools, services, and data sources, vulnerabilities in the MCP client-server architecture can lead to significant security breaches, such as coercing an agent to leak data or execute malicious code.

This is exemplified by a recently disclosed critical vulnerability within the popular GitHub MCP integration, which could allow an attacker to compromise a user’s agent through a malicious GitHub issue and manipulate it into revealing data from private repositories when prompted to “review the issues.”

The malicious payload is executed by the agent as soon as it queries the list of public repository issues, categorized as an instance of a toxic agent flow. However, addressing this vulnerability requires more than server-side patches from GitHub; it involves a fundamental architectural reconsideration, including the implementation of strict permission controls to ensure agents access only necessary repositories and the routine auditing of interactions between agents and MCP systems.

MCP Rebinding Attack

The accelerated adoption of MCP as a pivotal component for enterprise automation and agent-based applications has also opened new avenues for attack, such as Domain Name System (DNS) rebinding attacks, which leverage Server-Sent Events (SSE) to access sensitive data by exploiting protected resources on internal networks.

DNS rebinding entails manipulating a victim’s browser to regard an external domain as belonging to the internal network, thereby circumventing same-origin policy restrictions. These attacks are typically initiated when a user accesses a malicious website crafted by the attacker through phishing or social engineering tactics.

This flaw in browser security mechanisms allows client-side JavaScript from a malicious website to breach security protocols, targeting devices on the victim’s private network that are invisible on the public internet.

The MCP rebinding attack enables the adversary-controlled website to exploit internal resources within the victim’s network, thereby interacting with the MCP server operating on localhost and facilitating the exfiltration of sensitive data.

Utilizing SSE’s long-lasting connections, attackers can move from a phishing domain to target internal MCP servers. It is important to note that SSE has been deprecated as of November 2024 in favor of Streamable HTTP, addressing the risks associated with DNS rebinding attacks. Recommendations to mitigate these threats include enforcing authentication on MCP servers and verifying the “Origin” header for all incoming connections to protect against unauthorized access.