CVE-2025-32711 - Microsoft 365 Copilot EchoLeak data exfiltration
CVE-2025-32711, widely discussed as EchoLeak, is an AI command-injection issue in Microsoft 365 Copilot where untrusted content could cause information disclosure over the network. NVD marks the record as an exclusively hosted service and lists Microsoft as the CNA; Microsoft assigned a Critical CVSS score, while NVD’s enrichment currently scores it High.
This recipe has two tracks:
- Microsoft 365 Copilot tenants: confirm the service-side remediation and harden tenant data access, connector, DLP, and audit controls. A source-code repository usually cannot patch Microsoft-hosted Copilot itself.
- Owned AI assistants, copilots, RAG systems, mail/document agents, and Microsoft Graph connectors: remediate the same failure pattern in code: untrusted instructions must not drive privileged retrieval, external fetches, markdown rendering, connector calls, or data egress without policy checks.
The right outcome is a reviewer-ready PR when the repository owns an affected
AI workflow, or a TRIAGE.md note when the exposure is only a Microsoft-hosted
tenant or externally owned service.
When to use it
Use this recipe when reviewing Microsoft 365 Copilot tenant exposure or owned copilot/connectors that ingest untrusted content, fetch external resources, or can exfiltrate through model-directed output. It supports tenant audit, connector source-code remediation, prompt-provenance hardening, DLP review, and evidence that untrusted content cannot steer data egress.
Inputs
- Microsoft tenant remediation evidence, Copilot connector inventory, data classification, DLP policy, audit logs, external sharing settings, and incident owner.
- For owned code: connector source paths, retrieval filters, prompt assembly, content provenance labels, external fetch/URL rendering, and egress controls.
- Safe test fixtures for untrusted email/docs, prompt-injection markers, external-link attempts, sensitive snippets, and expected block/redaction behavior.
- Boundary notes for indexed data, user scopes, connector identities, tenant apps, outbound network destinations, and telemetry retention.
Affected versions
- Microsoft-hosted product: Microsoft 365 Copilot, serviced by Microsoft. There is no repository-level package version to bump for the hosted service.
- Vulnerability class: AI command injection / prompt injection that lets untrusted content steer a privileged assistant into disclosing data.
- Affected owned code shape: assistants that ingest emails, chats, tickets, documents, web pages, repository content, or connector data, then allow that same context to trigger external URL fetches, image loads, markdown links, tool calls, citations, or outbound messages containing privileged data.
- Fixed owned code shape: strict provenance separation, least-privilege retrieval, no automatic external fetch from untrusted content, output egress policy before rendering or sending, and tests that prove untrusted content cannot cause data exfiltration.
Indicator-of-exposure
- The repository builds or configures an AI assistant, copilot, RAG service, mail/document summarizer, enterprise search assistant, Graph connector, Teams/Slack bot, CRM/ticket agent, browser agent, or MCP tool that combines untrusted content with private data.
- The assistant can read private mail, calendars, files, SharePoint/Drive content, CRM records, tickets, secrets, customer data, source code, prompts, or tenant metadata.
- Untrusted content can influence instructions, citations, markdown rendering, URL construction, image fetching, tool arguments, callback URLs, webhook targets, or outbound messages.
- Network egress, link unfurling, image proxying, telemetry, citations, or browser/tool calls can reach attacker-controlled hosts.
- The repository defines Microsoft Graph connectors, Copilot extensions, plugins, actions, or tenant automation that broadens Copilot-visible data or relaxes DLP, sensitivity label, sharing, or audit controls.
Quick checks:
rg -n "copilot|GraphServiceClient|microsoft.graph|sharepoint|onedrive|teams|outlook|rag|retrieval|citation|markdown|image|unfurl|fetch\\(|requests\\.|httpx\\.|axios|webhook|callback|tool_call|egress|DLP|sensitivity" .
rg -n "prompt injection|system prompt|tool|connector|external_url|allowlist|blocklist|Content-Security-Policy|img-src|connect-src|proxy" .
Windows:
rg -n "copilot|GraphServiceClient|microsoft.graph|sharepoint|onedrive|teams|outlook|rag|retrieval|citation|markdown|image|unfurl|fetch\(|requests\.|httpx\.|axios|webhook|callback|tool_call|egress|DLP|sensitivity" .
rg -n "prompt injection|system prompt|tool|connector|external_url|allowlist|blocklist|Content-Security-Policy|img-src|connect-src|proxy" .
Do not validate exposure by sending crafted emails, prompts, links, or documents to production Microsoft 365 tenants, customer copilots, or live mailboxes.
Remediation strategy
- If the repository only documents or administers Microsoft 365 Copilot, write
TRIAGE.mdwith the tenant owner, Microsoft service-remediation status, connector inventory, data exposed to Copilot, DLP/sensitivity-label posture, audit-log review owner, and any tenant hardening actions. - For owned AI applications, separate trusted instructions, untrusted content, retrieved private data, and tool outputs at the data model level. Preserve provenance through prompt assembly, tool planning, rendering, logging, and outbound egress.
- Treat untrusted content as data only. It must not create or override system instructions, choose external hosts, request hidden resource loads, change tool names, set webhook destinations, or define recipient lists.
- Disable or gate automatic external fetches from generated answers, citations, markdown images, HTML, link unfurlers, browser tools, and telemetry. Use exact allowlists for required first-party hosts.
- Add an egress policy check immediately before rendering, sending, logging, or fetching. Block outbound content when the payload combines private data with an untrusted destination or untrusted instruction lineage.
- Minimize Copilot and connector blast radius: least-privilege Graph scopes, tenant-scoped connectors, sensitivity labels, DLP policies, search-result trimming, audit logging, and explicit owner review for new data sources.
- Add regression tests with local synthetic fixtures that model malicious email/document content, private data, markdown/image/link egress, and tool calls. The tests should assert that no network request or outbound message is generated from untrusted instructions.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-32711, the Microsoft 365 Copilot EchoLeak AI
command-injection / prompt-injection data-exfiltration issue, or the same
failure pattern in an owned AI assistant. Produce exactly one output:
- A reviewer-ready PR/change request that patches owned copilot, RAG,
connector, rendering, external-fetch, tool-call, and egress boundaries; adds
safe regression tests; and documents Microsoft tenant/operator actions, or
- TRIAGE.md if this repository does not own the affected Microsoft-hosted
service, connector, AI application code, data-access policy, or egress
boundary.
## Rules
- Scope only CVE-2025-32711 / EchoLeak and directly related AI command
injection, prompt provenance, private-data retrieval, rendering, external
fetch, tool-call, connector, and egress controls.
- Treat emails, chats, documents, prompts, retrieved context, tenant data,
customer data, Graph tokens, cookies, session IDs, audit logs, model-provider
keys, connector secrets, and generated answers as sensitive.
- Do not test against production Microsoft 365 tenants, live mailboxes,
customer copilots, real Graph data, or external attacker-controlled domains.
- Do not send crafted emails, links, markdown images, prompt-injection payloads,
or exfiltration probes to live users.
- Do not weaken DLP, sensitivity labels, access checks, tenant isolation,
output filtering, audit logging, or connector authorization to silence the
finding.
- Do not auto-merge.
## Steps
1. Inventory every owned AI assistant, copilot extension, Microsoft Graph
connector, RAG pipeline, mail/document summarizer, Teams/Slack bot, browser
agent, MCP server/client, tool-calling path, markdown/HTML renderer, link
unfurler, image proxy, webhook sender, and telemetry path in this repository.
2. Identify every private-data source the assistant can reach: mail, calendars,
SharePoint/Drive files, Teams messages, CRM records, tickets, source code,
secrets, tenant metadata, customer records, model prompts, and tool output.
3. Identify every untrusted-input source: inbound email, documents, comments,
tickets, chat messages, pull requests, web pages, retrieved snippets,
connector records, file names, metadata, and user-controlled URLs.
4. Trace whether untrusted input can influence:
- system/developer instructions or prompt templates;
- retrieval queries and filters;
- tool names, tool arguments, or connector calls;
- markdown/HTML rendering, citations, image sources, or link unfurling;
- webhook, callback, browser, or HTTP destinations;
- outbound messages, logs, analytics, or telemetry.
5. If the repository only consumes Microsoft-hosted Copilot and cannot patch
the service, stop with `TRIAGE.md` listing tenant owner, connector/data
sources checked, Microsoft remediation status, DLP/sensitivity-label posture,
audit-log review owner, and any tenant-hardening actions.
6. Patch owned code so prompt assembly preserves provenance for trusted
instructions, untrusted content, retrieved private data, tool output, and
user-authored output. Untrusted content must be quoted or delimited as data
and cannot override system policy.
7. Add or tighten retrieval authorization:
- use least-privilege Graph or data-source scopes;
- trim search results by user and tenant authorization before model access;
- block cross-tenant, public-link, or inherited-share surprises;
- require owner review for new Copilot-visible connectors or indexes.
8. Patch external fetch and rendering:
- disable automatic image/link/resource fetches from generated content by
default;
- strip or neutralize markdown images, HTML resources, and reference-style
links from untrusted model output when the destination is not allowlisted;
- use exact allowlists for required first-party domains;
- ensure CSP, proxy, and image-fetch rules cannot be bypassed by alternate
hostnames, redirects, encoded URLs, or protocol-relative links.
9. Add an egress guard immediately before any network request, browser/tool
call, outbound message, citation rendering, log write, or telemetry event.
The guard must block payloads that combine private data with an untrusted
instruction lineage or unapproved destination.
10. Add safe regression tests using local synthetic fixtures:
- malicious email/document text is treated as data, not instructions;
- private fixture data is not sent to untrusted URLs;
- markdown image and reference-link egress is blocked or defanged;
- browser, HTTP, webhook, and connector tools reject untrusted
destinations before network I/O;
- logs and telemetry do not contain private fixture data, prompts, tokens,
cookies, or generated bearer headers.
11. Add a PR body section named `CVE-2025-32711 operator actions` that states:
- whether this repo patches owned AI code or only triages Microsoft-hosted
Copilot exposure;
- which assistants, connectors, renderers, and egress paths were checked;
- which private data sources and untrusted inputs can meet;
- which external-fetch and outbound-message paths are now blocked or
allowlisted;
- which tenant DLP, sensitivity-label, audit, connector, and Graph-scope
actions remain for operators;
- which validation commands passed.
12. Run relevant validation: unit tests, prompt/provenance tests, local RAG
fixtures, renderer tests, egress-guard tests, connector authorization tests,
lint/typecheck, dependency/security scans, generated docs checks, and a
local non-secret smoke test.
13. Use PR title:
`fix(sec): harden AI egress for CVE-2025-32711 EchoLeak`
## Stop conditions
- The repository does not own any affected AI assistant, connector, renderer,
external-fetch path, tool-call path, Microsoft tenant control, or egress
boundary.
- The affected Microsoft 365 Copilot service is fully hosted and only
Microsoft can patch the vulnerable runtime; document tenant hardening and
owner actions in `TRIAGE.md`.
- Safe verification would require live Microsoft 365 data, production tenants,
customer prompts, real emails, real Graph tokens, or external exfiltration
probes.
- A required egress or connector control is owned by another platform team;
document the owner, evidence, deadline, and residual risk.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- For Microsoft tenants: an evidence packet that confirms service-side remediation, tenant data-governance posture, connector exposure, DLP/audit controls, and follow-up owners.
- For owned copilots/connectors: a reviewer-ready PR or change request that separates untrusted content from instructions, constrains retrieval/egress, adds regression tests, and documents monitoring.
- Or a
TRIAGE.mdfile that lists inspected tenant/code surfaces, owner, exposure boundary, required controls, missing evidence, and residual risk. - The output must not include customer data, real email/document contents, secrets, user tokens, or production Copilot transcripts.
Verification - what the reviewer looks for
- The PR distinguishes Microsoft-hosted Copilot exposure from owned AI application code that the repository can actually patch.
- Untrusted content cannot become policy, choose tools, set external destinations, or trigger hidden fetches.
- Private data keeps provenance through retrieval, prompt assembly, rendering, logging, and egress.
- External image/link/resource fetches are blocked by default or constrained to exact reviewed allowlists.
- Tests use local synthetic fixtures and do not touch live Microsoft 365 tenants, real mailboxes, real Graph tokens, customer content, or public exfiltration endpoints.
- Operator notes cover tenant DLP, sensitivity labels, Graph scopes, connector owner review, audit-log review, and remaining Microsoft-hosted-service dependencies.
Watch for
- Treating EchoLeak as only a Microsoft issue while owned copilots repeat the same prompt-injection and egress design pattern.
- Adding a prompt-only instruction such as “do not leak data” without changing retrieval, rendering, tool-call, or egress enforcement.
- Blocking direct URLs while leaving markdown images, reference links, link unfurlers, image proxies, redirects, or telemetry paths open.
- Letting untrusted documents define connector queries, webhook targets, tool arguments, recipient lists, or citation destinations.
- Logging full prompts, retrieved documents, generated answers, cookies, Graph tokens, or model-provider credentials during incident review.
Related recipes
- Source code secrets and data exposure audit
- Source code authz tenant boundary audit
- AI governance oversight evidence check
- NIST SSDF repository evidence check
References
- Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32711
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-32711
- EchoLeak research paper: https://arxiv.org/abs/2509.10540