RAG Copilot

intelligence gathering

AI zero-hit vulnerability: can steal Microsoft 365 Copilot data

Aim Security has discovered the "EchoLeak" vulnerability, which exploits a design flaw typical of RAG Copilot, allowing an attacker to automatically steal any data in the context of M365 Copilot without relying on specific user behavior. The main attack chain consists of three different vulnerabilities, but Aim Labs has identified other vulnerabilities during its research that may enable exploitation.

chief security officer
June 12, 2025
07.2K01