[German]In June 2025, security researchers reported the first zero-click vulnerability they had encountered in the Microsoft 365 Copilot AI application. Attackers could use this vulnerability, known as EchoLeak, to force Microsoft 365 Copilot to exfiltrate data. Check Point Research has now published an initial analysis of the situation.
Review of EchoLeak Copilot vulnerability
Since Microsoft has been rolling out its AI solutions such as Copilot to all users who do not opt out, questions have arisen about the security of these features. Security researchers at the startup Aim Labs have discovered a critical zero-click AI vulnerability, which they have named EchoLeak. The vulnerability is found in Copilot, which is being rolled out with Microsoft 365 (M365).
In their article Breaking down 'EchoLeak', the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot, the security researchers outline an attack chain known as "LLM Scope Violation" that can be applied to Copilot to extract information. The security researchers state that unauthorized third parties can retrieve information from Copilot, even though the M365 Copilot interface is only accessible to company employees. AIM Labs writes that this new technique could also be used for abuse in other RAG-based chatbots and AI agents.
Analysis of the vulnerability
I reported on the details of this attack in my blog post EchoLeak: First AI 0-Click vulnerability in Microsoft Copilot. According to security researchers, the vulnerability, dubbed EchoLink by Check Point, is a good example of a new class of AI-based cyber attacks. The vulnerability, known as EchoLink, marks the beginning of a new era of attacks, as it requires no clicks, downloads, or user interaction to access sensitive corporate data, according to the experts.
The vulnerability allows attackers in Microsoft's AI-powered work environment to embed hidden prompts in shared documents, calendar invitations, or emails. Once Copilot processes this content, confidential information such as project reports or meeting summaries can be automatically disclosed – in the background and without the user's knowledge. Microsoft closed the vulnerability in June 2025. But as EchoLink shows, zero-click exploits are not isolated cases, but rather provide a glimpse into future attack methods.
Enterprises are too careless
According to CheckPoint Research, many companies rely on Microsoft's native protection features or use multiple point solutions. However, it is precisely this fragmented approach that creates vulnerabilities such as delayed detection, higher administrative overhead, and blind spots between systems. EchoLink shows that traditional defense mechanisms against AI-based zero-click exploits are not sufficient.
Advanced security solutions designed for cloud-based communication tools such as Microsoft 365, Google Workspace, MS Teams, and Slack, on the other hand, offer:
- AI- and ML-powered detection of malicious prompts, payloads, and behavioral anomalies.
- Zero-click prevention by scanning all documents, links, and embedded content before users open them.
- Context-sensitive data loss prevention (DLP) to prevent unauthorized data leaks.
- Centralized management and full transparency via a unified dashboard.
"EchoLink is not an isolated case, but a warning sign for the entire industry. AI-driven attacks are already a reality and will continue to increase in the future. Companies that rely on fragmented or purely native protective measures risk data loss and damage to their reputation. Advanced AI cyber defense is needed to counter these AI cyber attacks," says Marco Eggerling, Global CISO at Check Point Software Technologies. Checkpoint published its analysis in the blog post EchoLink and the Rise of Zero-Click AI Exploits.
Similar articlesl:
BlackHat 2024: Remote code execution attack on M365 Copilot via email
EchoLeak: First AI 0-Click vulnerability in Microsoft Copilot
