In June 2025, Microsoft patched a vulnerability in Microsoft 365 Copilot tracked as CVE-2025-32711, CVSS 9.3, and named EchoLeak by the researchers who found it at Aim Labs (Aim Security). It's widely described as the first publicly documented zero-click prompt injection against a production LLM application — and the first time prompt injection was shown to cause concrete data exfiltration, not just a misbehaving response.
The part worth sitting with: the victim never clicked anything.
What happened
The attack starts with an ordinary-looking email sent to a target's inbox. Inside that email is a payload written in markdown, phrased as instructions for the language model rather than for the human reading it. The recipient does not need to open it, click it, or act on it in any way.
Later, the user asks Copilot a normal business question — summarize my recent documents, that kind of thing. To answer, Copilot's retrieval layer (RAG) pulls in relevant context, and the attacker's email gets swept into that context alongside the user's genuinely sensitive data: OneDrive files, SharePoint content, Teams messages, chat history. Now the malicious instructions are sitting in the same prompt as the data the attacker wants.








