EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System

Authors

  • Pavan Reddy The George Washington University
  • Aditya Sanjay Gujral The George Washington University

DOI:

https://doi.org/10.1609/aaaiss.v7i1.36899

Abstract

Large language model (LLM) assistants are increasingly integrated into enterprise workflows, raising new security concerns as they bridge internal and external data sources. This paper presents an in-depth case study of EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability in Microsoft 365 Copilot that enabled remote, unauthenticated data exfiltration via a single crafted email. By chaining multiple bypasses--evading Microsoft’s XPIA (Cross Prompt Injection Attempt) classifier, circumventing link redaction with reference-style Markdown, exploiting auto-fetched images, and abusing a Microsoft Teams proxy allowed by the content security policy, EchoLeak achieved full privilege escalation across LLM trust boundaries without user interaction. We analyze why existing defenses failed, and outline a set of engineering mitigations including prompt partitioning, enhanced input/output filtering, provenance-based access control, and strict content security policies. Beyond the specific exploit, we derive generalizable lessons for building secure AI copilots, emphasizing the principle of least privilege, defense-in-depth architectures, and continuous adversarial testing. Our findings establish prompt injection as a practical, high-severity vulnerability class in production AI systems and provide a blueprint for defending against future AI-native threats.

Downloads

Published

2025-11-23

How to Cite

Reddy, P., & Gujral, A. S. (2025). EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System. Proceedings of the AAAI Symposium Series, 7(1), 303–311. https://doi.org/10.1609/aaaiss.v7i1.36899

Issue

Section

Engineering Safety-Critical AI Systems