---
id: "concept-echoleak"
type: "concept"
source_timestamps: ["¶1", "¶2"]
tags: ["exploits", "case-study", "data-breach", "cve-2025-32711"]
related: ["concept-zero-click-ai-exploits", "entity-microsoft-365-copilot", "entity-org-aim-security"]
definition: "A June 2025 zero-click vulnerability that silently extracted sensitive data from Microsoft 365 Copilot by manipulating its data interaction mechanisms."
cve: "CVE-2025-32711"
disclosed: "2025-06"
source_title: "Research: Conventional Cybersecurity Won't Protect Your AI"
source_url: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sources: ["tail2"]
sourceVaultSlug: "hbr-seg-tail2"
originDay: 2
articleStem: "hbr-tail-128-cybersecurity-wont-protect-ai"
sourceUrl: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sourceTitle: "Research: Conventional Cybersecurity Won’t Protect Your AI"
---
# EchoLeak Vulnerability (CVE-2025-32711)

EchoLeak is a specific vulnerability uncovered by researchers in **June 2025** that exposed sensitive **Microsoft 365 Copilot** data ([[entity-microsoft-365-copilot-d2]]). In the source it is the archetypal [[concept-zero-click-ai-exploits|zero-click AI exploit]]: it bypassed human behavior entirely, silently extracting confidential information by manipulating the underlying mechanisms of how Copilot interacts with user data. Huang uses it as a sobering proof-point that current security models — built for predictable software and application-layer defenses — fail against the dynamic, interconnected nature of modern AI.

**Enrichment grounding.** EchoLeak is catalogued as **CVE-2025-32711** ('AI command injection in M365 Copilot,' per NVD) and was disclosed by **Aim Security / Aim Labs** ([[entity-org-aim-security]]). Technically it is an *LLM Scope Violation* / *indirect prompt injection*: a single crafted email causes Copilot to violate its scope and exfiltrate data it can access (chat logs, OneDrive, SharePoint, Teams) through allowed outbound channels. Microsoft patched it server-side in May/June 2025, with no evidence of in-the-wild exploitation. It is frequently called 'the first known zero-click prompt-injection exploit in a production AI agent.'

**Important tension for the thesis.** EchoLeak was an **AI-layer / application-logic** exploit — *not* a GPU or firmware compromise. Counter-perspectives use exactly this to push back on Huang's infrastructure-first framing ([[claim-infrastructure-over-application]]): it demonstrates that AI-layer scoping and context handling are *also* a primary attack surface, and that better app/AI design (context filtering, stricter CSP, data labeling, DLP) could have mitigated it.
