Researchers from Aim Security discovered a critical zero-click vulnerability, dubbed EchoLeak, in Microsoft's 365 Copilot AI agent. This flaw allowed attackers to silently extract sensitive corporate data simply by sending a malicious email, without any user interaction. The exploit manipulated the AI assistant against itself, posing broader risks for AI agent security. Microsoft promptly patched the vulnerability and confirmed that no customers were affected or had data compromised. The flaw, identified as CVE-2025-32711 with a CVSS score of 9.3, highlighted emerging cybersecurity challenges in AI-powered tools. The incident marks the first known zero-click attack targeting an AI agent, underscoring the need for heightened vigilance in AI cybersecurity.