June 12, 2025 A new vulnerability discovered in Microsoft Copilot has raised urgent concerns about the security of autonomous AI agents. In a recent proof-of-concept attack, a cybersecurity researcher demonstrated how the AI assistant could be manipulated to leak sensitive information — simply by visiting a malicious website.
The exploit, dubbed EchoLeak, was detailed by the researcher known as Alh4zr3d and reported by Fortune. It works by embedding invisible prompt instructions in a webpage. When Microsoft Copilot, acting as a browsing agent, visits that page, it reads the prompt and unknowingly follows its hidden instructions — which can include exposing internal corporate data.
“You can make Copilot take actions you control, then exfiltrate information from the organization it’s running in,” Alh4zr3d told Fortune.
The attack highlights a growing category of threats facing agent-style AI systems — models that can browse, analyze, and act autonomously in enterprise environments. Unlike traditional exploits that target software code, EchoLeak manipulates the AI’s behaviour using language — a class of attack known as prompt injection.
Microsoft confirmed the vulnerability and says it has applied mitigations. The company described it as a “research scenario” and stated that no customer data was compromised.
Still, security experts say the implications are serious. As AI agents become more integrated into business operations, their ability to take actions based on user inputs — or in this case, inputs from untrusted websites — creates a new kind of surface for cyberattacks.
EchoLeak underscores the need to apply the same rigour to AI system inputs as we do to traditional APIs and web endpoints. Left unchecked, these systems could become high-speed, automated insider threats.
