Microsoft 365 Copilot hit by zero-click 'EchoLeak/SearchLeak' data-exfiltration flaw

Security researchers disclosed a zero-click vulnerability in Microsoft 365 Copilot, tracked as CVE-2025-32711 and dubbed EchoLeak/SearchLeak, that allows attackers to exfiltrate sensitive corporate data via a single crafted email using prompt injection — with no user interaction required. The attacker plants hidden instructions in an email; when Copilot processes the user's mailbox context, it follows the injected commands to leak data, making this one of the more alarming demonstrations of AI-agent risk in enterprise settings.

Researchers writing for CSO Online warned bluntly that the prompt-injection attack surface 'just got bigger,' arguing that as Copilot and similar assistants gain deeper access to corporate data stores, the blast radius of a single injection grows. The zero-click nature is the critical escalation: prior prompt-injection demos typically required a user to paste or open malicious content, whereas EchoLeak triggers from passively received email.

The timing is pointed. It lands the same week Microsoft made Copilot Cowork generally available with deep M365 data grounding and AWS launched 'agentic security at machine speed' — underscoring the central tension of the agentic era: the more context and autonomy you grant an agent, the more catastrophic an injection becomes. Separately, Aembit extended its identity-and-access-management capabilities to Microsoft Copilot Studio for agentic AI, reflecting a nascent market for agent-specific security controls.

For enterprise security teams the lesson is that traditional perimeter and email-security controls don't address AI-native exfiltration paths. Watch for Microsoft's patch details and mitigation guidance, and for whether this accelerates demand for prompt-injection defenses, output filtering, and least-privilege agent architectures across the industry.