In a world first, researchers from Aim Labs have identified a critical zero-click vulnerability in Microsoft 365 Copilot that can lead to the exfiltration of sensitive corporate data with a simple email.

The vulnerability, dubbed ‘EchoLeak,’ exploits design flaws typical of Retrieval Augmented Generation (RAG) Copilots, allowing attackers to automatically exfiltrate any data from M365 Copilot’s context, without relying on specific user behavior.

It was discovered by the Aim Labs researchers while using a new exploitation technique called ‘Large language model (LLM) Scope Violation.’

This is the first zero-click AI vulnerability ever discovered, according to the researchers in a June 11 report which shared their findings.

Aim Labs contacted Microsfot about the flaw in January 2025. The tech giant finalized the patch for the vulnerability in May 2025.

How Microsoft 365 Copilot Uses RAG and LLMs

Microsoft 365 Copilot is an AI-powered productivity tool that integrates with apps such as Word, Excel, PowerPoint, Outlook and Teams. It utilizes LLMs – specifically, OpenAI’s GPT models – and the Microsoft Graph to personalize responses, offering features such as drafting documents, summarizing emails and generating presentations.

More precisely, Microsoft 365 Copilot utilizes RAG, a technique that enables LLMs to retrieve and incorporate new information.

“To deliver this functionality, M365 Copilot queries the Microsoft Graph and retrieves any relevant information from the user’s organizational environment, including their mailbox, OneDrive storage, M365 Office files, internal SharePoint sites and Microsoft Teams chat history,” the Aim Labs report explained. “Copilot’s permission model ensures that the user only has access to their own files, but these files could contain sensitive, proprietary or compliance information!”

LLM Scope Violation

During the testing of M365 Copilot, the Aim Labs researchers performed a new type of indirect prompt injection (tracked as LLM01 in OWASP’s Top 10 for LLM Applications), which they called ‘LLM Scope Violation.’

This technique aims to allow the LLM to access trusted data without the user's consent. It involves an attacker performing several steps, including bypassing various security measures to inject malicious prompts into the LLM.

Here is a step-by-step breakdown of the attack chain: