Researchers have discovered the first zero-click AI vulnerability dubbed “EchoLeak” that allows attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior. Termed “LLM Scope Violation,” the new exploitation may have additional manifestations in other RAG-based chatbots and AI agents representing a major discovery advancement in how threat actors can attack AI agents – by leveraging internal model mechanics.
More details here: https://www.aim.security/lp/aim-labs-echoleak-blogpost
Ensar Seker, CISO at SOCRadar had this to say:
“The EchoLeak discovery by Aim Labs exposes a critical shift in cybersecurity risk, highlighting how even well-guarded AI agents like Microsoft 365 Copilot can be weaponized through what Aim Labs correctly terms an “LLM Scope Violation.” This attack, which allows zero-click data exfiltration from an AI assistant’s context simply by sending an email, breaks from traditional breach tactics as it doesn’t require any user action beyond receiving mail. The fact that it bypasses server-side classifiers and markdown redaction rules demonstrates how these vulnerabilities are baked into agent-level logic, not just surface UI flows.
“This has serious implications for NATO, government, defense, healthcare, and anyone using enterprise AI assistants: attackers no longer need to compromise user credentials or rely on phishing. They can manipulate a trusted AI interface directly. The multi-step EchoLeak chain is both elegant and insidious: it leverages retrieval-augmented generation (RAG), content-security-policy quirks, and markdown behavior to funnel data out silently to attacker-controlled URLs.
“What stands out especially is that this isn’t limited to Copilot. As Aim Labs warns, any RAG-based agent that processes untrusted inputs alongside internal data is vulnerable to scope violations. This signals a broader architectural flaw across the AI assistant space – one that demands runtime guardrails, stricter input scoping, and inflexible separation between trusted and untrusted content.
“Organizations deploying AI agents must act quickly: disable external email ingestion in Copilot, enforce DLP tags, and apply prompt-level filters that block structured output or suspicious links. They should also treat every AI deployment with the same scrutiny reserved for enterprise applications integrating AI-specific security controls into DevSecOps and threat modeling. Insecure guards at the model layer are now as critical a risk as insecure interfaces at the network layer.
“EchoLeak is a watershed moment. It shows that AI agents can be their own attackers, and secure-by-design principles must evolve just as AI shifts from assistant to agent.”
Well, this isn’t good given the fact that AI is being deployed everywhere for everything. I think it’s a safe bet that we’ll be seeing more of this type of exploit going forward, and the danger of these sorts of exploits will only quickly increase.
Operation Secure disrupts global infostealer malware operations
Posted in Commentary with tags Law Enforcement on June 11, 2025 by itnerdAn international law enforcement action codenamed “Operation Secure” targeted infostealer malware infrastructure in a massive crackdown across 26 countries, resulting in 32 arrests, data seizures, and server takedowns.
More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.
During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.
Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.
Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.
Ensar Seker, CISO at SOCRadar had this comment:
“Operation Secure marks one of the most impactful international crackdowns on the infostealer ecosystem to date. What stands out is the breadth and coordination of the effort. Spanning 26 countries, seizing infrastructure, and actively notifying over 200,000 victims. This scale demonstrates a global acknowledgment that infostealers are no longer niche threats but form the backbone of modern cybercrime: from initial access brokers to identity theft, fraud, and nation-state reconnaissance.”
“These 32 arrests may seem small compared to the global volume of infections, but they’re strategically vital, targeting the operators and developers, not just low-level distributors. The seizure of 100 GB of stolen data also offers intelligence gold: victim telemetry, malware configuration, and affiliate network structures can now be analyzed to inform threat hunting and attribution efforts.”
“However, it’s important to understand that disruption is not dismantling. Just like with Lumma or RedLine, underground markets are resilient. We should expect forks, rebrands, and rebuilds. The effectiveness of Operation Secure will ultimately hinge on how well this law enforcement data is integrated into public-private threat intelligence sharing, and whether proactive takedowns continue especially in jurisdictions where cybercrime actors have historically operated with little risk.”
“For defenders, the key takeaway is clear: infostealer infections are persistent, silent, and damaging. Credential hygiene, endpoint telemetry, browser artifact scanning, and access management must be prioritized. And from a policy level, this shows the value of collaboration between cybersecurity companies, hosting providers, and global law enforcement. Something the industry must keep supporting if we want to stay ahead of evolving threats.”
Erich Kron, Security Awareness Advocate at KnowBe4 follows with this comment:
“It’s always welcome news when countries work together to take down cybercrime infrastructure and bad actors. As this is a global problem, this sort of cooperation and coordination between law enforcement organizations and the private sector from around the world is incredibly important if we are going to protect our economies from cybercriminals.”
“The theft of and selling of information is big business for cybercriminal groups, and impacts organizations and individuals alike. From personal information of employees and others, to intellectual property with a significant cost to develop, the market for stolen information has never been greater.”
Takedowns like this one are a good thing. The real trick is ensuring that the threat actors never come back. But given how out of control things are. Any day where the good guys get a win is a good day.
Leave a comment »