EchoLeak is a critical vulnerability found in Microsoft 365 Copilot, allowing attackers to steal sensitive corporate information through a single email without any user interaction. Discovered by Aim Security, this is the first known zero-click attack on an AI tool, exploiting Copilot's ability to process internal and external data. The method involves sending crafted emails that trigger Copilot's processing mechanisms to retrieve and transmit confidential data to an attacker's server, highlighting significant security weaknesses in AI integration within corporate environments.
"This is sheer weaponization of AI's core strength, contextual understanding, against itself," said Abhishek Anant Garg, an analyst at QKS Group.
One crafted email is all it takes. Copilot processes it silently, follows hidden prompts, digs through internal files, and sends confidential data out.
Collection
[
|
...
]