Critical flaw in Microsoft Copilot could have allowed zero-click attack - Cybersecurity Dive

A critical zero-click vulnerability, dubbed "EchoLeak" and identified as CVE-2025-32711, was discovered in Microsoft Copilot. This flaw leveraged an "LLM scope violation" to allow remote attackers to exfiltrate sensitive data from Microsoft 365 services without any user interaction.