- Course
- Security
CVE-2025-32711 Microsoft 365 Copilot EchoLeak: Zero-click AI Vulnerability
Learn how a zero-click vulnerability in Microsoft 365 Copilot, called 'EchoLeak', exposes sensitive internal data. This episode breaks down how it works, why it matters, and what your organization can do to defend against it.
What you'll learn
AI-powered assistants like Microsoft 365 Copilot offer powerful productivity gains but they also introduce new and unique security risks. In this episode, CVE-2025-32711, also known as EchoLeak, is put under the microscope. You’ll explore how this critical zero-click vulnerability allows attackers to exploit Copilot using indirect prompt injection—embedding hidden instructions in everyday content like email footers and shared documents. You’ll also learn how the vulnerability works, why it’s rated CVSS 9.3, and what mitigations Microsoft has deployed. More importantly, we’ll cover actionable steps your organization should take to reduce exposure and how AI alters the security landscape.
Table of contents
About the author
Chris Jackson is a cybersecurity professional with years of experience in identifying security incidents, securing applications and security training. Over the years, he has tested web applications for vulnerabilities, helped deploy SIEM platforms and more. He is passionate about teaching cybersecurity and committed to learning new technologies.