Summary
EchoLeak is a zero-click indirect prompt-injection vulnerability in Microsoft 365 Copilot discovered by Aim Labs (Aim Security). A single crafted email containing hidden instructions causes Copilot to read and exfiltrate internal organizational data such as chat history, OneDrive files, SharePoint content and Teams messages with no user interaction. The exploit chained several bypasses: evading Microsoft's XPIA prompt-injection classifier, circumventing link redaction with reference-style Markdown, abusing auto-fetched images, and using a Microsoft Teams proxy permitted by the content security policy to exfiltrate data. Aim Labs named the underlying class an LLM Scope Violation, where untrusted external input manipulates the model into crossing its trust boundary and leaking privileged data.
How to avoid it in your code
- Apply Microsoft's EchoLeak fix (CVE-2025-32711); keep Microsoft 365 Copilot updated.
- Treat incoming emails/external content as untrusted data the model must not obey as instructions.
- Isolate untrusted content from privileged context to prevent LLM scope violations.
- Block auto-fetched images and restrict egress (including Teams proxy) to an allow-list.
- Strip/encode Markdown links and references before the model processes external text.
References
Related vulnerabilities
All AI/LLM →- HIGHAI-CLAUDECODE-SOURCEMAP-2026
On March 31, 2026, Anthropic accidentally shipped the full source of its Claude Code CLI inside a published npm package. A missing .npmignore rule for *.map left a roughly 59.8 MB source map in the tarball, embedding about 512,000 lines of unobfuscated TypeScript across some 1,900 files, including internal prompts, tool definitions and architecture. The root cause was a packaging failure compounded by a bundler bug: Bun continued emitting source maps even when generation was disabled, and nothing stripped or excluded them before publish. Because npm releases are immutable and mirrored instantly, the source was cloned, dissected and re-hosted within hours, and a clean-room reimplementation reached tens of thousands of GitHub stars the same day. It is a textbook source-map disclosure: the sourcesContent field of a .map file carries the original code verbatim, so a single map left in a shipped artifact hands an attacker the entire codebase, comments and all. The same class hit Apple's App Store web front-end in November 2025, where production source maps left enabled let a researcher reconstruct and publish the full client source.
- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.
- HIGHAI-SHADOWLEAK-2025
ShadowLeak is a server-side zero-click indirect prompt-injection attack against ChatGPT's Deep Research agent, discovered by Radware. An attacker emails the victim a message with instructions hidden in the HTML using white-on-white text and tiny fonts; when the user runs Deep Research over their inbox, the agent autonomously follows the hidden instructions and exfiltrates personal and inbox data. The distinguishing trait is that exfiltration occurs entirely server-side within OpenAI's cloud infrastructure, making it invisible to local and enterprise network defenses. The Gmail proof of concept generalizes to any Deep Research connector; OpenAI fixed it before public disclosure with no evidence of in-the-wild exploitation.
- CRITICALAI-TEA-APP-BREACH-2025
The Tea women's-safety app left a Google Firebase Storage bucket publicly accessible with no authentication and directory listing enabled, exposing roughly 72,000 images including about 13,000 verification selfies and government IDs (driver's licenses, passports) and about 59,000 images from posts and messages; a separate exposed datastore leaked over 1 million private user messages. The stolen data was dumped on 4chan, fueling doxxing and harassment. Analysis showed hallmarks of rapidly built apps, including hardcoded API keys and client tokens in the source and an unsecured legacy storage system retained after a 2024 migration.
- MEDIUMAI-GEMINI-WORKSPACE-2025
Marco Figueroa of Mozilla's 0DIN program documented a Gemini for Workspace flaw where an attacker hides instructions inside an email using tags styled with font-size zero or white-on-white text, invisible to the recipient. When the user clicks Summarize this email, Gemini processes the raw HTML and treats the hidden directive as a high-priority instruction, appending an attacker-crafted fake security warning, such as a fake support phone number, that appears to come from Google. No links or attachments are required, enabling credential harvesting and vishing at scale through indirect prompt injection.
- HIGHAI-AGENTSMITH-2025
Noma Security discovered AgentSmith, a flaw in the public LangSmith Prompt Hub where an attacker uploads a malicious AI agent with a pre-configured proxy server baked into its settings. When a victim adopts and runs the shared agent, all traffic including OpenAI API keys, prompts, uploaded documents, images and voice inputs is silently routed through the attacker's proxy, enabling exfiltration of API keys, theft of data and man-in-the-middle manipulation of downstream LLM responses. LangChain confirmed and fixed the issue in November 2024; scope was limited to the public Prompt Hub sharing feature and there was no evidence of in-the-wild exploitation.