CompanyScope
by Janus Compliance

AIR-2026-004 · AI Agent Incident Register

EchoLeak: a zero-click exfiltration path demonstrated through Microsoft 365 Copilot

Incident: 2025-06-11 · Parties: Aim Labs / Cato Networks (discovering researchers); Microsoft (vendor, M365 Copilot)

Liability locus: Vendor-borne. the gravity sits upstream with the provider; the deployer is largely a bystander.

Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-06-27 · Last reviewed 2026-06-27. Analysis of public facts. Not legal advice.

Share this AIR-2026-004 profile:Share on XBluesky

What happened

This is a demonstrated vulnerability, not an exploited harm. Microsoft states there was no real-world exploitation and no customers were affected; the discovering firm says it is "not aware of any customers being impacted to date." Nothing below should be read as an assertion that any real user's data was taken.

In January 2025, researchers at Aim Labs (the research arm of Aim Security, since acquired by Cato Networks) reported a vulnerability chain in Microsoft 365 Copilot to Microsoft's Security Response Center. They named the underlying technique "LLM Scope Violation," and the exploit "EchoLeak." It was assigned CVE-2025-32711 and disclosed publicly on or about 11 June 2025. Researchers described it as the first zero-click attack found in a widely used generative-AI product.

The mechanism, as the researchers documented it: an attacker sends the target an ordinary-looking email containing hidden instructions. No click is required, because Copilot ingests the email into the model's context when the user later asks Copilot something unrelated. The injected instructions then cause the model to attend to trusted in-context data, such as prior chat history or content pulled from Microsoft Graph, and route it out through an automatically fetched reference-style image link, relayed via a permitted Microsoft Teams proxy endpoint to evade the content-security policy. Microsoft's own layered defences were each bypassed in turn: the cross-prompt-injection (XPIA) classifiers were evaded by phrasing the malicious instructions as if addressed to the human recipient; the external-link redaction missed reference-style markdown; the CSP was sidestepped through the trusted Teams domain.

Microsoft remediated the issue server-side by May 2025, before the 11 June 2025 public disclosure, with no customer or administrator action required. On severity, the CVE record carries two official CVSS v3.1 scores: Microsoft, as the assigning authority, rates it 9.3 Critical, while NIST's independent NVD assessment is 7.5 High. The gap is the Scope metric: Microsoft scores the trust boundary as crossed (Scope: Changed), NIST does not. Most coverage uses the 9.3 Critical figure; both are legitimate scores from their respective assessors.

The duty engaged

Because there was no exploitation, the duties below are analysed conditionally: the question is what would have been engaged had the technique been used against a real M365 Copilot tenant processing personal data. That conditional framing is the point of a near-miss entry.

Security of processing (GDPR Article 32). A successful EchoLeak-style exfiltration would have moved personal data out of a controller's environment without authorisation. Article 32 obliges controllers and processors to ensure security appropriate to the risk. The interesting feature is where the control failure sat: in the vendor's product, beyond the reach of any customer configuration. Microsoft acts as processor for M365 Copilot content; the remediation was entirely server-side, which means no customer could have patched their way out in advance. A "failure to patch" theory against the deploying organisation would not run, because there was nothing for the customer to patch.

Breach definition (Article 4(12)). Had data been exfiltrated, this would have been a personal-data breach (unauthorised disclosure). The trust-boundary nature of the attack matters for the controller's risk assessment: the data never left an apparently trusted Microsoft surface until the final relay, which complicates detection and therefore the Article 33 awareness clock.

The novel legal question. EchoLeak is the cleanest illustration of what the researchers called a scope violation: untrusted input (an email) causing an agent to act on trusted data without consent. In data-protection terms, the agent collapsed the boundary between content it was processing and content it was authorised to act on. As agents are given broader context windows and tool access, this boundary is where the next wave of breaches will originate, and the law has no settled vocabulary for it yet. Entries in this register will keep returning to it.

The liability chain (conditional)

No harm occurred, so this is an allocation sketch, not a live dispute. Had EchoLeak been exploited against a real tenant:

The vendor (Microsoft) would have carried the structural exposure, because the vulnerability and every bypassed control lived in its product, and the fix was its to deploy. As processor, its Article 28 and contractual security commitments would have been the first reference point. The strongest fact in its favour is the one that actually obtains: it remediated through coordinated disclosure before exploitation, which is the system working as intended.

The deploying organisation (the controller) would still have owed its data subjects the Article 33/34 response and its own Article 32 assessment, but its position would be unusually defensible: it had no patch to apply and no configuration to correct. This is the inverse of the typical agent incident, where the deployer's own choices (scopes granted, data exposed) drive the liability. Here the deployer was, in effect, a bystander to a vendor-side flaw.

The researchers acted as responsible disclosers, reporting to MSRC rather than publishing or exploiting. That conduct is what kept this in the near-miss column, and it is worth naming as the behaviour the ecosystem should reward.

The reason this allocation is worth recording even without harm: it shows that for vendor-side agent vulnerabilities, the liability gravity sits with the provider in a way that procurement contracts should anticipate. A buyer's influence is at the contract stage, in the security warranties and breach-notification terms, not in any post-incident control it could have exercised.

What would have prevented it

Mapped controls

Sources


Cite this entry as AIR-2026-004 (https://companyscope.io/register/air-2026-004). Entry IDs are stable; corrections publish as dated addenda on this page.

Share this AIR-2026-004 profile:Share on XBluesky

Talk to Michael about your agent deployment — or your AI vendor governance more broadly

CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.

A sentence or two is plenty.

Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.

Subscribe to the AI Agent Incident Register

Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.

Subscribe — free

Delivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.

This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.