Zero-click EchoLink exploit compromises Microsoft 365 Copilot security

The security researchers at Check Point have discovered a zero-click vulnerability in Microsoft 365 Copilot, which they have named “EchoLink”.

The exploit enabled attackers to access sensitive company data without any user interaction – an attack scenario that experts believe marks the beginning of a new era of AI-based cyberattacks.

EchoLink’s attack principle is as simple as it is effective: cybercriminals can embed malicious prompts in seemingly harmless content such as Word documents, calendar entries, or emails. As soon as Microsoft 365 Copilot loads this content for processing, the hidden instructions are executed automatically.

As a result, the AI discloses sensitive information such as project reports, meeting notes, or other confidential documents – completely unnoticed by the users. The attack takes place entirely in the background, without the need for a click, download, or other user action.

Microsoft closed the vulnerability after it was reported by Check Point researchers in June 2025. However, the security experts do not see EchoLink as an isolated case, but as a harbinger of a new generation of AI-based attacks.

Built-in protection measures are not enough

“EchoLink is not an isolated case, but a warning signal for the entire industry,” explains Marco Eggerling, Global CISO at Check Point Software Technologies. “AI-based attacks are already a reality and will continue to increase in the future. Companies that rely on fragmented or purely built-in protection measures risk data loss and reputational damage.”

Specialized AI defense required

According to Check Point researchers, the new generation of zero-click exploits in AI environments requires advanced security solutions that have been specially developed for cloud-based collaboration platforms such as Microsoft 365, Google Workspace, Microsoft Teams, or Slack.

These should offer the following protective functions:

• AI and ML-powered detection of malicious prompts, payloads, and suspicious behavioral anomalies
• Proactive zero-click prevention by scanning all documents, links, and embedded content before user interaction
• Context-sensitive data loss prevention (DLP) to prevent unauthorized data outflows
• Central management with complete transparency via a standardized dashboard

The EchoLink vulnerability shows that companies need to be prepared for a new dimension of cyber threats. While traditional attacks usually rely on human weaknesses such as phishing or social engineering, AI-based exploits take advantage of the automation and trust that users place in their intelligent assistants.

(lb/Check Point)