What happened
Microsoft 365 Copilot reads across a user’s Outlook mail, SharePoint, OneDrive and Teams to answer questions in context. Researchers at Aim Security reported that an attacker could exploit exactly that reach. According to their disclosure, an attacker could send an email containing a hidden instruction (text made invisible to the reader, for example via styling or HTML techniques that hide content from human view), which Copilot would retain. Later, when the user asked Copilot an unrelated, ordinary question, its retrieval engine would pull that email into the model’s context and execute the hidden instruction as though it had come from the user.
The researchers reported that, by chaining several bypasses (evading Microsoft’s cross-prompt-injection classifier, slipping data out through links and images that Copilot could automatically handle, and abusing internal proxy behaviour permitted by existing content-security policies), Copilot could be steered into packaging internal content and sending it to an attacker, with nothing clicked and no attachment opened; the victim only had to use Copilot normally. Microsoft assigned CVE-2025-32711, rated it 9.3 (critical), patched it server-side, and said it had found no exploitation in the wild. Named “EchoLeak,” it was reported as the first real-world zero-click prompt-injection exploit demonstrated against a production LLM system, and the class of risk it exposed outlives the patch: any assistant that mixes untrusted incoming text with trusted internal data in one context is exposed to the same move.
What an auditable version would have shown
When an assistant can reach a company’s documents, the urgent questions are precise: what instruction did it act on, where did that instruction come from, what data did it assemble, and where was that data about to go. An auditable version records, per Copilot action, the sources pulled into context and their trust level, the instruction that drove the action, and the destination of any outbound content, so an instruction that entered through an untrusted email, and an attempt to route internal data to an external endpoint, are both flagged and recorded the moment they happen, not reconstructed after a breach.
Where the gap was
There were two gaps. First, an instruction from an untrusted source, an inbound email, was allowed to steer the agent as if the user had issued it. An AuthorityGate is the control for exactly this: it asks who issued an instruction and whether that source is authorised to bind the agent, and it runs first, before the instruction is obeyed. Second, internal data was allowed to move toward a destination outside the trust boundary. An EgressGate checks, at the point where data would leave, whether the output carries sensitive content and whether the destination sits inside the boundary, and stops it if not. A ConductRecord ties the two together: the untrusted instruction and the blocked or attempted egress become one signed, reviewable event.
What governance should have looked like
Prompt injection is not an exotic edge case; it is the default condition of any agent that reads text it did not author. Governance that assumes retrieved content is safe has already lost. Treat every retrieved document as untrusted input, verify that instructions come from an authorised source before acting on them, and check every outbound path before data crosses the trust boundary. The fix for one email is a patch; the fix for the class is architecture, and a record that shows, for each action, whose instruction it followed and where its output went.
The reference implementation of AuthorityGate, EgressGate, and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System (arXiv)
- CVE-2025-32711 “EchoLeak” zero-click AI vulnerability (SOC Prime)
- EchoLeak (CVE-2025-32711): what the Microsoft Copilot prompt injection vulnerability means for your data (Sentra)