Security researchers disclosed a vulnerability in Microsoft 365 Copilot this month that should be required reading for every engineering leader deploying AI assistants in enterprise environments. The vulnerability, designated CVE-2025-32711 and nicknamed "EchoLeak," is a zero-click prompt injection exploit that enables data exfiltration from Microsoft 365 Copilot. Its CVSS score: 9.6 out of 10.
Let that severity rating sink in. On the standardized scale the security industry uses to assess vulnerabilities, where 10.0 represents the most critical possible severity, EchoLeak scores 9.6. And it requires zero interaction from the target user to exploit.
What EchoLeak Actually Does
The attack works by injecting malicious prompts into content that Microsoft 365 Copilot processes—documents, emails, chat messages. When Copilot ingests this content as context for generating a response, the injected prompt hijacks the model's behavior, causing it to exfiltrate sensitive data to an attacker-controlled endpoint. The user never clicks anything. They never approve anything. Copilot does what it's designed to do—read content and respond—and the exploit rides that normal behavior like a parasite.
This is not a theoretical proof-of-concept presented at an academic conference. This is a vulnerability in a product used by organizations worldwide, discovered in the same month that Microsoft reported 150 million Copilot users and that 90% of Fortune 100 companies are deploying GitHub Copilot.
The architectural pattern that makes EchoLeak possible is prompt injection—the technique where adversarial instructions embedded in data are interpreted as commands by an AI system. We've been tracking this threat vector since earlier this year, when research on FlipAttack demonstrated approximately 98% bypass rates against guardrails using character order alterations. EchoLeak validates what that research predicted: prompt injection isn't a theoretical concern. It's a production vulnerability class with critical severity ratings.
Why Zero-Click Matters
The "zero-click" characteristic of EchoLeak deserves specific attention because it fundamentally changes the threat model for enterprise AI deployments.
Most organizations' security frameworks assume that attacks require some form of user action—clicking a link, opening a malicious attachment, entering credentials on a phishing site. User training and awareness programs are designed around this assumption. "Think before you click" has been the foundation of enterprise security culture for two decades.
Zero-click prompt injection eliminates that assumption. The attack surface isn't user behavior—it's the AI system's behavior. Copilot processes content as part of its normal function. The user might simply ask Copilot to summarize their inbox, and the act of reading an email containing an injected prompt is enough to trigger the exploit. The user exercised no poor judgment. They followed no suspicious link. They simply used the tool as intended.
This represents a fundamental shift in how AI-assisted productivity tools need to be secured. It's analogous to the difference between a virus that requires you to run a malicious executable (user action required) and a worm that propagates across a network through normal traffic (no user action required). The latter category of threats historically proved far more dangerous because they couldn't be addressed through user education alone—they required architectural defenses.
The Verification Dimension We've Been Building
This series introduced the security-as-verification-dimension thread in July, when the Veracode GenAI Code Security Report found that 45% of AI-generated code contains security vulnerabilities. In the same month, GitHub reported that 46% of code from active Copilot users was AI-generated. The collision of those two statistics—45% vulnerable and 46% AI-generated—created an uncomfortable arithmetic.
EchoLeak adds a new layer to that arithmetic. It's not just that AI generates vulnerable code. It's that AI systems themselves are vulnerable to attacks that exploit their core functionality. The tool you're using to write code can be compromised. The assistant you're using to analyze documents can be turned into a data exfiltration vector. The productivity enhancement that justified enterprise adoption becomes a security liability that traditional security tools weren't designed to detect.
The Veracode numbers told us AI-generated outputs need verification. EchoLeak tells us AI system behavior needs verification too. The model's inputs, the model's processing, and the model's outputs all represent attack surfaces that require monitoring, validation, and enforcement.
What Enterprise Security Teams Are Missing
Most enterprise security architectures treat AI assistants as trusted applications. Once Copilot or a similar tool passes initial security review and procurement approval, it operates within the organization's trust boundary. It accesses email, documents, calendars, and chat—all the data it needs to be helpful—and that access is considered legitimate because it was explicitly granted.
EchoLeak exploits exactly that trust relationship. The vulnerability doesn't involve unauthorized access to data. It involves authorized access being manipulated to serve unauthorized purposes. This is a category of threat that perimeter security, endpoint protection, and traditional access controls don't address because the attack vector is the application's authorized behavior.
The gap is in what happens between input and output—the processing layer where the AI model interprets content and generates responses. If a malicious prompt embedded in a document causes the model to include sensitive data in an outbound request, no firewall detects that as malicious because the model is doing what it's authorized to do: reading content and generating responses.
Closing this gap requires infrastructure that operates at the AI layer, not the network layer. It requires monitoring what the model is being asked to do, verifying that the model's behavior aligns with intended use, and enforcing boundaries on model outputs regardless of what the inputs contain. This is guardrail infrastructure—and it's the layer that most enterprise security architectures haven't built yet.
The Broader Prompt Injection Landscape
EchoLeak is the highest-profile prompt injection vulnerability disclosed to date, but it's far from the only one. The prompt injection attack class has been escalating throughout 2025 in both sophistication and severity.
The FlipAttack research demonstrated that simple character reordering could bypass guardrails with near-perfect success rates. The GTG-2002 threat actor, disclosed by Anthropic in August, used Claude Code to attack 17 or more organizations—demonstrating that AI coding tools can be weaponized by adversaries who understand their capabilities. And the steady drumbeat of jailbreak discoveries throughout the year has made clear that the cat-and-mouse game between guardrail developers and attack researchers isn't converging toward security.
The FTC chose this month to initiate a formal inquiry into generative AI developer measures to mitigate harms to minors—a separate vector from prompt injection, but part of the same broad pattern: AI systems are being deployed at massive scale with security and safety properties that haven't been adequately verified. The regulatory response is catching up to the threat landscape, but the gap between known vulnerabilities and deployed defenses remains wide.
The pattern is clear enough: as AI systems become more capable and more deeply integrated into enterprise workflows, the value of compromising them increases, and the attack surface grows. CVSS 9.6 is a score that gets board-level attention. The question is whether it triggers a strategic response—investment in AI-layer security infrastructure—or a tactical one—patching this specific vulnerability and waiting for the next.
What Teams Should Build
The EchoLeak disclosure should prompt engineering and security leaders to evaluate their AI deployment architecture against a specific set of questions.
First, do you monitor AI system behavior at the processing layer? Not just inputs and outputs, but the model's interpretation and response patterns. If an AI assistant suddenly changes its response behavior after processing specific content, does anything in your stack detect that?
Second, do you enforce boundaries on AI system outputs? When Copilot or a similar tool generates a response, does your infrastructure validate that the response doesn't contain data that shouldn't be exfiltrated? Can you define output policies that the model cannot violate regardless of what its inputs contain?
Third, do you audit AI system interactions? If a prompt injection exploit were active in your environment for a week before detection, could you reconstruct which data was accessed, which responses were generated, and which outputs may have been compromised? Audit trails that capture AI system behavior at the event level—not just at the application log level—are what makes post-incident investigation possible.
Fourth, are your guardrails provider-independent? If you're securing Copilot but not Claude, not Gemini, and not the open-source models individual team members might be using through third-party tools, your security posture has gaps that attackers will find.
The EchoLeak vulnerability will be patched. Microsoft's security team is responsive, and the disclosure-to-fix cycle for critical CVEs in enterprise products is measured in days, not months. But the vulnerability class—prompt injection in enterprise AI assistants—isn't going away. It's going to intensify as AI tools become more capable, more integrated, and more trusted.
The organizations that treat EchoLeak as a category warning rather than a specific incident will be the ones that build the infrastructure to survive the next CVSS 9.6 disclosure. And there will be a next one.