LLM01:2025Prompt Injection
Slide 13 of 28
Part 2 · TypesSlide 13
Slide 13 · Indirect Injection — Real Example
EchoLeak — the first zero-click prompt injection exploit in production enterprise AI.
CVE-2025-32711. Microsoft 365 Copilot. June 2025. Verified and patched.
Confirmed CVE · Disclosed June 2025 · Found by Aim Security Researchers
EchoLeak — Microsoft 365 Copilot Silent Data Exfiltration
CVE-2025-32711 · CVSS 9.3 Critical · Server-side patch by Microsoft · No exploitation in wild confirmed

The setup: Microsoft 365 Copilot is integrated into Outlook, Word, PowerPoint, and Teams. It reads documents and emails on behalf of the user to summarize and answer questions. That's its designed purpose.

The attack: An attacker sends a single crafted email to the victim. The email looks completely normal to the human. Hidden inside are instructions to Copilot. When Copilot automatically processes the email as part of normal M365 operation, it follows the hidden instructions: access the victim's internal files and exfiltrate their contents to an attacker-controlled server.

The exfiltration mechanism: The attack used reference-style Markdown to embed an image link pointing to the attacker's server, encoding the stolen data in the URL. This bypassed Microsoft's XPIA (Cross Prompt Injection Attempt) classifier. The image auto-fetched via a Microsoft Teams proxy that was already whitelisted in Copilot's content security policy.

Zero user interaction required. Victim didn't click. Didn't open an attachment. Didn't reply. Copilot processed it automatically.

Why it worked: Copilot read the email and treated embedded instructions the same as legitimate system instructions. The attack chained four bypasses: evaded the XPIA classifier, circumvented link redaction using reference-style Markdown, exploited auto-fetched images, and abused a Teams proxy allowed by the CSP. Microsoft's fix required a server-side patch — no developer could have prevented this in their own system prompt. Sentra's post-incident analysis: "The defense requires scoped data access before Copilot can reach it — not just patching individual vulnerabilities as they emerge."
The Defense Lesson

EchoLeak's CVSS 9.3 rating reflected partly that Copilot had broad access to the entire victim M365 environment. OWASP Mitigation #4 — least privilege — applied before deployment would have limited the blast radius even after the injection succeeded. Scope the AI's data access to the minimum it actually needs.

← BackPart 2 done → Part 3: Attack Scenarios
📄 View sources for this lesson