90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-063
Technology · United States · 2025 · Data exposure & egress

'EchoLeak': one crafted email could make Microsoft 365 Copilot leak a company's internal data, no click required

By Ellie Harris · Filed Disclosed June 2025 (CVE-2025-32711, CVSS 9.3)

Alleged: Microsoft (Microsoft 365 Copilot); Aim Security (disclosing researchers) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

'EchoLeak': one crafted email could make Microsoft 365 Copilot leak a company's internal data, no click required

What happened

Microsoft 365 Copilot reads across a user’s Outlook mail, SharePoint, OneDrive and Teams to answer questions in context. Researchers at Aim Security reported that an attacker could exploit exactly that reach. According to their disclosure, an attacker could send an email containing a hidden instruction (text made invisible to the reader, for example via styling or HTML techniques that hide content from human view), which Copilot would retain. Later, when the user asked Copilot an unrelated, ordinary question, its retrieval engine would pull that email into the model’s context and execute the hidden instruction as though it had come from the user.

The researchers reported that, by chaining several bypasses (evading Microsoft’s cross-prompt-injection classifier, slipping data out through links and images that Copilot could automatically handle, and abusing internal proxy behaviour permitted by existing content-security policies), Copilot could be steered into packaging internal content and sending it to an attacker, with nothing clicked and no attachment opened; the victim only had to use Copilot normally. Microsoft assigned CVE-2025-32711, rated it 9.3 (critical), patched it server-side, and said it had found no exploitation in the wild. Named “EchoLeak,” it was reported as the first real-world zero-click prompt-injection exploit demonstrated against a production LLM system, and the class of risk it exposed outlives the patch: any assistant that mixes untrusted incoming text with trusted internal data in one context is exposed to the same move.

What an auditable version would have shown

When an assistant can reach a company’s documents, the urgent questions are precise: what instruction did it act on, where did that instruction come from, what data did it assemble, and where was that data about to go. An auditable version records, per Copilot action, the sources pulled into context and their trust level, the instruction that drove the action, and the destination of any outbound content, so an instruction that entered through an untrusted email, and an attempt to route internal data to an external endpoint, are both flagged and recorded the moment they happen, not reconstructed after a breach.

Where the gap was

There were two gaps. First, an instruction from an untrusted source, an inbound email, was allowed to steer the agent as if the user had issued it. An AuthorityGate is the control for exactly this: it asks who issued an instruction and whether that source is authorised to bind the agent, and it runs first, before the instruction is obeyed. Second, internal data was allowed to move toward a destination outside the trust boundary. An EgressGate checks, at the point where data would leave, whether the output carries sensitive content and whether the destination sits inside the boundary, and stops it if not. A ConductRecord ties the two together: the untrusted instruction and the blocked or attempted egress become one signed, reviewable event.

What governance should have looked like

Prompt injection is not an exotic edge case; it is the default condition of any agent that reads text it did not author. Governance that assumes retrieved content is safe has already lost. Treat every retrieved document as untrusted input, verify that instructions come from an authorised source before acting on them, and check every outbound path before data crosses the trust boundary. The fix for one email is a patch; the fix for the class is architecture, and a record that shows, for each action, whose instruction it followed and where its output went.

The reference implementation of AuthorityGate, EgressGate, and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Microsoft (Microsoft 365 Copilot); Aim Security (disclosing researchers) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →