Researchers discover zero-click vulnerability in Microsoft Copilot
Researchers have said that Microsoft Copilot had a critical zero-click AI vulnerability that was fixed before hackers stole sensitive data. Called 'EchoLeak,' the attack was mounted by Aim Labs researchers in January this year and then reported to Microsoft later.
In a blog posted by the research team, they said that EchoLeak was the first zero-click attack on an AI agent and could hack remotely via an email.
The vulnerability was given the identifier CVE-2025-32711 and rated critical and fixed eventually in May.
The researchers have categorised EchoLeak under a new class of vulnerabilities called 'LLM Scope Violation,' which can lead a large language model to leak internal data without any interaction with the hacker.
Although Microsoft acknowledged the security flow, it confirmed that there had been no instance of exploitation which had impacted users.
Users receive an email that's been designed to look like a business document embedded with a hidden prompt injection that instructs the LLM to extract and exfiltrate sensitive data. When the user asks Copilot a query the email is retrieved into the LLM prompt by Retrieval-Augmented Generation or RAG.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Time of India
6 hours ago
- Time of India
IBM receives National E-Gov Gold Award for mining tenement system
1 2 3 Nagpur: The Indian Bureau of Mines (IBM) has secured the Gold Award at the National Awards for e-Governance (NAEG) 2025 for its mining tenement system (MTS) — an innovative digital initiative that has transformed mining governance in India. Aimed at improving transparency, efficiency, and regulatory adherence, the MTS project has set a standard in digital transformation within the mining industry. By simplifying approvals and facilitating real-time monitoring, MTS has greatly enhanced the ease of doing business while fostering sustainable and responsible mining practices. Follow more information on Air India plane crash in Ahmedabad here . Get real-time live updates on rescue operations and check full list of passengers onboard AI 171 .
Economic Times
7 hours ago
- Economic Times
AI's success must be measured in economic impact, not benchmarks: Satya Nadella
The true metric of success of artificial intelligence (AI) must be measured in terms of its economic impact and real growth in global gross domestic product (GDP), said Satya Nadella, chief executive, Microsoft. '…the ultimate measure for me always is not some AI benchmark, it is the GDP growth in the real world that means it's the growth in a firm. And that's, I think, where we're seeing absolutely real evidence that this is scaling,' he said in a conversation with Ali Ghodsi, founder and chief executive, Databricks, at the company's annual conference in San Francisco on Thursday. When asked about drawing the line between AI hype versus real value add, Nadella outlined how AI should serve as an amplifier of existing enterprise investments.'If the new technology somehow builds on the investments they've already made and compounds the effects for them, then that is a true value-add.'Nadella reflected on the acceleration in AI development across pre-training, inference, and application maturity over the last two years. 'It's the compounding effects of all the S-curves, right? There is the pre-training S-curve, and then there is now the test time compute S-curve. There is just the application tier getting a more mature S-curve… It's that combination that's been pretty stunning to see,' he said. He also described how human-AI interaction is progressing beyond conversational AI toward operational automation.'We started by saying, wow, I can now have intelligence that I can chat with. Then we said, oh, we can assign tasks to the intelligence, and now we effectively can have digital coworkers.' Nadella emphasised the enterprise-wide usage of AI agents along with tools like GitHub Copilot and Databricks connectors. 'You are now getting to a place where it's become standard issue… every employee inside the enterprise is able to either manage agents, create agents, orchestrate agents in order to create that next level of automation around them.' The two companies announced a multi-year extension of their decade-long partnership for the Azure Databricks cloud platform. Parallelly, Databricks also announced a new product partnership with Google Cloud to make the latest Gemini models available within Databricks' platform to build, deploy, and scale AI agents. (The reporter was in San Francisco at the invitation of Databricks).
Time of India
8 hours ago
- Time of India
Microsoft's Copilot Vision brings Google's Circle to Search-like functionality to Windows users
Microsoft has launched Copilot Vision for Windows, bringing screen-reading AI capabilities, much similar to Google's Circle to Search feature. The new tool, available free to all US users on Windows 10 and 11, can analyze any app or window you share with it, offering real-time guidance and insights. Tired of too many ads? go ad free now Unlike previous versions that only worked within web browsers, Copilot Vision now works with any app, file, or window you choose to share. Users can share up to two apps simultaneously, letting the AI connect information between different programs. Whether you're stuck in a game, editing photos in Photoshop, or planning events from your calendar, Copilot Vision acts as your digital assistant. The standout feature called "Highlights" goes beyond basic screen reading. Ask Copilot "show me how" for any task, and it will literally highlight where to click and what steps to follow within your apps. Imagine having a personal tutor pointing out exactly which buttons to press in complex software. Microsoft learned from past controversies with features like Recall. Copilot Vision requires explicit permission for each app you want to share – it's completely opt-in. The AI can only see what you actively choose to show it, putting users firmly in control of their privacy. Getting started is simple: open the Copilot app, click the glasses icon, select which windows to share, and start asking questions. The AI can summarize documents, explain error messages, or even help draft email replies based on what's on your screen. The feature is currently limited to the US, with plans to expand to other non-European countries soon.
