EchoLeak

In the EchoLeak class of attack, a crafted email or document lands in a user's mailbox or shared store and is later retrieved by Copilot during a routine prompt. The hidden instructions then cause Copilot to return sensitive content to the attacker via an output channel.

EchoLeak-style attacks share common characteristics:

• Zero-click delivery: The victim does not have to interact with the malicious content.
• Indirect injection: Instructions hide inside retrieved data, not the user's prompt.
• Cross-tenant impact: Attacker-controlled content can pull data from other users or tenants.
• Output channel abuse: Markdown, hyperlinks, or images smuggle data back to the attacker.
• Enterprise scope: Mail, SharePoint, OneDrive, and Teams are all viable injection surfaces.

EchoLeak is also a useful framing for boards and CISOs because it makes the cross-tenant data-leakage risk concrete. Treating Copilot grounding paths as a controlled data flow, with classification and policy applied in line, is the durable architectural answer.

How PointGuard AI Helps

PointGuard AI Runtime Guardrails inspect retrieved enterprise content for prompt-injection markers before it reaches the Copilot prompt, and AI Data Protection enforces classification-aware policy on Copilot output channels. The combination addresses the EchoLeak class at both the input and the output side of Copilot grounding, keeping enterprise data on the right side of trust boundaries.

Learn More

• Aim Labs: EchoLeak Disclosure
• OWASP Top 10 for LLM Applications
• Greshake et al., Indirect Prompt Injection arXiv:2302.12173