AIR-2026-004 · AI Agent Incident Register
EchoLeak: a zero-click exfiltration path demonstrated through Microsoft 365 Copilot
Incident: 2025-06-11 · Parties: Aim Labs / Cato Networks (discovering researchers); Microsoft (vendor, M365 Copilot)
Liability locus: Vendor-borne. the gravity sits upstream with the provider; the deployer is largely a bystander.
Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-06-27 · Last reviewed 2026-06-27. Analysis of public facts. Not legal advice.
What happened
This is a demonstrated vulnerability, not an exploited harm. Microsoft states there was no real-world exploitation and no customers were affected; the discovering firm says it is "not aware of any customers being impacted to date." Nothing below should be read as an assertion that any real user's data was taken.
In January 2025, researchers at Aim Labs (the research arm of Aim Security, since acquired by Cato Networks) reported a vulnerability chain in Microsoft 365 Copilot to Microsoft's Security Response Center. They named the underlying technique "LLM Scope Violation," and the exploit "EchoLeak." It was assigned CVE-2025-32711 and disclosed publicly on or about 11 June 2025. Researchers described it as the first zero-click attack found in a widely used generative-AI product.
The mechanism, as the researchers documented it: an attacker sends the target an ordinary-looking email containing hidden instructions. No click is required, because Copilot ingests the email into the model's context when the user later asks Copilot something unrelated. The injected instructions then cause the model to attend to trusted in-context data, such as prior chat history or content pulled from Microsoft Graph, and route it out through an automatically fetched reference-style image link, relayed via a permitted Microsoft Teams proxy endpoint to evade the content-security policy. Microsoft's own layered defences were each bypassed in turn: the cross-prompt-injection (XPIA) classifiers were evaded by phrasing the malicious instructions as if addressed to the human recipient; the external-link redaction missed reference-style markdown; the CSP was sidestepped through the trusted Teams domain.
Microsoft remediated the issue server-side by May 2025, before the 11 June 2025 public disclosure, with no customer or administrator action required. On severity, the CVE record carries two official CVSS v3.1 scores: Microsoft, as the assigning authority, rates it 9.3 Critical, while NIST's independent NVD assessment is 7.5 High. The gap is the Scope metric: Microsoft scores the trust boundary as crossed (Scope: Changed), NIST does not. Most coverage uses the 9.3 Critical figure; both are legitimate scores from their respective assessors.
The duty engaged
Because there was no exploitation, the duties below are analysed conditionally: the question is what would have been engaged had the technique been used against a real M365 Copilot tenant processing personal data. That conditional framing is the point of a near-miss entry.
Security of processing (GDPR Article 32). A successful EchoLeak-style exfiltration would have moved personal data out of a controller's environment without authorisation. Article 32 obliges controllers and processors to ensure security appropriate to the risk. The interesting feature is where the control failure sat: in the vendor's product, beyond the reach of any customer configuration. Microsoft acts as processor for M365 Copilot content; the remediation was entirely server-side, which means no customer could have patched their way out in advance. A "failure to patch" theory against the deploying organisation would not run, because there was nothing for the customer to patch.
Breach definition (Article 4(12)). Had data been exfiltrated, this would have been a personal-data breach (unauthorised disclosure). The trust-boundary nature of the attack matters for the controller's risk assessment: the data never left an apparently trusted Microsoft surface until the final relay, which complicates detection and therefore the Article 33 awareness clock.
The novel legal question. EchoLeak is the cleanest illustration of what the researchers called a scope violation: untrusted input (an email) causing an agent to act on trusted data without consent. In data-protection terms, the agent collapsed the boundary between content it was processing and content it was authorised to act on. As agents are given broader context windows and tool access, this boundary is where the next wave of breaches will originate, and the law has no settled vocabulary for it yet. Entries in this register will keep returning to it.
The liability chain (conditional)
No harm occurred, so this is an allocation sketch, not a live dispute. Had EchoLeak been exploited against a real tenant:
The vendor (Microsoft) would have carried the structural exposure, because the vulnerability and every bypassed control lived in its product, and the fix was its to deploy. As processor, its Article 28 and contractual security commitments would have been the first reference point. The strongest fact in its favour is the one that actually obtains: it remediated through coordinated disclosure before exploitation, which is the system working as intended.
The deploying organisation (the controller) would still have owed its data subjects the Article 33/34 response and its own Article 32 assessment, but its position would be unusually defensible: it had no patch to apply and no configuration to correct. This is the inverse of the typical agent incident, where the deployer's own choices (scopes granted, data exposed) drive the liability. Here the deployer was, in effect, a bystander to a vendor-side flaw.
The researchers acted as responsible disclosers, reporting to MSRC rather than publishing or exploiting. That conduct is what kept this in the near-miss column, and it is worth naming as the behaviour the ecosystem should reward.
The reason this allocation is worth recording even without harm: it shows that for vendor-side agent vulnerabilities, the liability gravity sits with the provider in a way that procurement contracts should anticipate. A buyer's influence is at the contract stage, in the security warranties and breach-notification terms, not in any post-incident control it could have exercised.
What would have prevented it
- Treat layered guardrails as bypassable until proven otherwise. Microsoft had an injection classifier, link redaction, and a CSP. Each was individually defeated. A defence is only as strong as the weakest link in the chain, and "defence in depth" is not a defence if every layer has a known bypass.
- Enforce the trust boundary at the data layer, not the prompt. The root cause was untrusted input reaching trusted context. Tagging data provenance and refusing to let untrusted content trigger actions on trusted data is the structural fix, the one Microsoft pursued server-side.
- Constrain exfiltration channels. The exploit needed an automatic outbound request (the auto-fetched image) and a permitted relay (the Teams proxy). Tightening which domains rendered agent output can reach shrinks the channel available to any future variant.
- For buyers: read the security warranties. Since the deployer could not have patched, its only pre-incident recourse was contractual. The procurement-stage review of an agent vendor's security commitments and breach-notice terms is where this risk is actually managed.
Mapped controls
- OWASP Top 10 for Agentic Applications 2026: ASI06 Memory & Context Poisoning (best fit): untrusted email content poisons the agent's context and causes it to act on attacker instructions. ASI01 Agent Goal Hijack is a strong secondary fit. EchoLeak predates the 2026 agentic list and is also conventionally mapped to the OWASP LLM Top 10 2025 (LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure).
- NIST AI RMF: primarily a MEASURE failure. The XPIA classifier was a deployed detection control that did not catch the injection (MEASURE), and the layered redaction and CSP controls were each individually bypassable, leaving residual risk under-managed across the chain (MANAGE).
- Singapore IMDA Model AI Governance Framework for Agentic AI: the framework's emphasis on bounding what an agent can access and act on is the control class this near-miss validates; the failure was an agent acting on untrusted input against trusted context, the exact boundary the framework asks deployers to draw.
Sources
- Aim Labs / Cato Networks, "Breaking down 'EchoLeak'" technical breakdown (catonetworks.com/blog/breaking-down-echoleak) — the discovering firm's account of the "LLM Scope Violation" technique and the mechanism, carrying "Aim Labs is not aware of any customers being impacted to date" and Microsoft's confirmation that "no customers were affected" — checked 24 June 2026 [primary]
- NVD, CVE-2025-32711 — two official CVSS v3.1 scores: NIST 7.5 High (vector S:U) and Microsoft/CNA 9.3 Critical (vector S:C); CWE-74 (injection); published 11 June 2025, last modified 17 June 2026 — checked 24 June 2026 [primary]
- Microsoft MSRC Security Update Guide, CVE-2025-32711 "M365 Copilot Information Disclosure Vulnerability" (msrc.microsoft.com) — the official CNA advisory and source of the 9.3 Critical CNA score. The page is JavaScript-rendered and did not machine-fetch, so Microsoft's "no action required / further transparency" framing and no-exploitation position are carried here via the Cato writeup and corroborating coverage — checked 24 June 2026 [primary]
- BleepingComputer, "Zero-click AI data leak flaw uncovered in Microsoft 365 Copilot," June 2025 — checked June 2026
- SecurityWeek, "EchoLeak AI attack enabled theft of sensitive data via Microsoft 365 Copilot," June 2025 — checked June 2026
- The Hacker News, "Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data," June 2025 (Microsoft's no-exploitation position is paraphrased here, not verbatim) — checked June 2026
- arXiv 2509.10540, "EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System," September 2025 — checked June 2026
Cite this entry as AIR-2026-004 (https://companyscope.io/register/air-2026-004). Entry IDs are stable; corrections publish as dated addenda on this page.
Talk to Michael about your agent deployment — or your AI vendor governance more broadly
CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.
Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.
Subscribe to the AI Agent Incident Register
Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.
Subscribe — freeDelivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.
This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.