Hackers Could Steal Data From Microsoft 365 Copilot Without Phishing Or Malware, Says AI Startup — 'EchoLeak' Flaw Took 5 Months To Fix

A critical security flaw was discovered in Microsoft MSFT 365 Copilot, an AI tool integrated into various Microsoft Office applications. This vulnerability could potentially lead to attacks on sensitive data.

What Happened: The security flaw in Microsoft 365 Copilot was identified by AI security startup Aim Security. This flaw, named “EchoLeak,” could be exploited by hackers to access sensitive information without the need for user interaction.

With Microsoft 365 Copilot, an attacker could launch an attack merely by sending an email to a user—no phishing or malware required. This could potentially expose confidential and proprietary data.

Adir Gruss, co-founder and CTO of Aim Security, told Fortune that the EchoLeak flaw is not just a regular security bug. It can have broader implications that extend beyond Copilot, rooted in a fundamental design flaw inherent to LLM-based AI agents.

Gruss stated that if he led a company working with AI agents, he would be ‘terrified’. He also attributed security flaws as the reason behind fewer companies adopting AI agents.  "They're just experimenting, and they're super afraid."

Microsoft told Fortune that it has resolved the issue upon notification, and no customers were affected. However, Gruss said that the Satya Nadella-led company took five months to address the issue. Gruss stated that a lasting solution will necessitate a complete rethinking of how AI agents are designed.

SEE ALSO: Mark Cuban Predicts AI Video Will Trigger ‘An Explosion’ In Face-To-Face Engagement, Events And Jobs. Calls It ‘The Milli Vanilli Effect’

Why It Matters: The discovery of this security flaw raises concerns about the potential risks associated with AI agents. This incident highlights the need for robust security measures to protect sensitive data from such vulnerabilities.

Today's Best Finance Deals

Earlier this year, Microsoft CEO Satya Nadella had introduced a new tool that allows anyone to create AI agents that can perform tasks on desktop and web applications. This recent security flaw in the Copilot AI tool underscores the importance of ensuring the security of AI agents.

Meanwhile, tech giant Google GOOGL GOOG has been deploying its on-device AI model to detect and block fraudulent websites in real-time, significantly expanding its security capabilities. This proactive approach to AI security could serve as a model for other companies looking to enhance the security of their AI systems.

According to Benzinga Edge Stock Rankings, Microsoft has a growth score of 90.75% and a quality rating of 63.33%. Click here to see how it compares to other leading tech companies.

On a year-to-date basis, Microsoft stock surged 12.9%.

• READ MORE: Sundar Pichai Says He Gets Frustrated, Angry, But Realized Losing His Temper Doesn’t Lead To Productivity Because Sometimes ‘Silence Can Deliver’ More: Here’s What He Learned Because Of Soccer

Image via Shutterstock

Disclaimer: This content was partially produced with the help of AI tools and was reviewed and published by Benzinga editors.