Skip to main content
The homepageThe VergeThe Verge logo.
The homepageThe VergeThe Verge logo.
Posted
E
External Link
Emma Roth
Security researchers found a zero-click vulnerability in Microsoft 365 Copilot.

The vulnerability, called “EchoLeak,” lets attackers “automatically exfiltrate sensitive and proprietary information” from Microsoft 365 Copilot without knowledge of the user, according to findings from Aim Labs.

An attacker only needs to send their victim a malicious prompt injection disguised as a normal email, which covertly instructs Copilot to pull sensitive information from a user’s account.

Microsoft has since fixed the critical flaw and given it the identifier CVE-2025-32711. It also hasn’t been exploited in the wild.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.

Most Popular

Most Popular
  1. Epic just won its Google lawsuit again, and Android may never be the same
  2. Google’s Pixel Tablet is $190 off for a limited time
  3. All the news from Nintendo’s July 2025 Direct showcase
  4. Ford’s planning a ‘Model T moment’ for EVs on August 11th
  5. Nintendo Switch prices are going up after this weekend

More in News

IRS head says free Direct File tax service is ‘gone’IRS head says free Direct File tax service is ‘gone’
Microsoft is killing off Windows 11 SE, its Chrome OS competitorMicrosoft is killing off Windows 11 SE, its Chrome OS competitor
Everything we think we know about the Google Pixel 10 phonesEverything we think we know about the Google Pixel 10 phones
Samsung TVs are coming back online after apps stopped workingSamsung TVs are coming back online after apps stopped working
Nintendo’s Switch 2 doubles first-month sales of the originalNintendo’s Switch 2 doubles first-month sales of the original
The LeapMove is a gamified camera designed to get kids off the couchThe LeapMove is a gamified camera designed to get kids off the couch

Top Stories