Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction - The Hacker News

A critical zero-click AI vulnerability, identified as EchoLeak (CVE-2025-32711, CVSS 9.3), allowed for unauthorized data exfiltration from Microsoft 365 Copilot without user interaction. This flaw leveraged an LLM Scope Violation and indirect prompt injection within markdown content to trick the AI's Retrieval-Augmented Generation (RAG) engine into leaking sensitive contextual data.