Microsoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data Theft - Infosecurity Magazine

Researchers have uncovered "EchoLeak," a critical zero-click vulnerability in Microsoft 365 Copilot that exploits design flaws inherent to Retrieval Augmented Generation (RAG) applications. This flaw, leveraging an "LLM Scope Violation" technique, allows for the automatic exfiltration of sensitive corporate data from the LLM's context without requiring user interaction.