Prompt injection just graduated from theory to incident response. EchoLeak (CVE‑2025‑32711) demonstrated a zero‑click exfiltration chain inside Microsoft 365 Copilot: a single crafted external email seeded hidden instructions; Copilot later pulled that message into context, encoded sensitive details into a URL, and the client auto‑fetched the link—leaking data without the user clicking anything. The final twist: a CSP‑allowed Teams proxy retrieved the attacker’s URL on Copilot’s behalf. Below I unpack why standard defenses failed, and what an enterprise‑ready fix looks like.
The kill chain, simplified
- Seed: External email with covert instructions avoids the XPIA classifier.
- Smuggle: Copilot outputs a reference‑style Markdown link that bypasses link redaction.
- Automate: Copilot emits an image reference; the UI auto‑requests the URL (no clicks).
- Escape: Request is routed through an allow‑listed Teams URL preview proxy, evading CSP.
What actually broke
- Trust mixing: External content was concatenated into the same prompt scope as internal data.
- Output egress: Redaction covered inline links but missed reference‑style links and image fetches.
- Network guardrails: CSP blocked arbitrary domains, but an allow‑listed proxy re‑opened egress.
Why the common playbook failed
| Defense (as deployed) | Hidden Assumption | How EchoLeak invalidated it |
|---|---|---|
| Prompt‑injection classifier (XPIA) | Malicious text looks obviously malicious | Benign business phrasing carried operational instructions that slipped the filter |
| Link redaction | All external links use inline Markdown | Attack used reference‑style links and image refs |
| CSP allowlist | Allowed Microsoft domains are safe | Teams async preview proxied attacker URLs (server‑side fetch) |
| User vigilance | Users won’t click unknown links | Zero‑click via auto‑fetched images removed the human from the loop |
Design diagnosis: this is a scope violation
Copilot wasn’t “hacked” in the classic sense; its normal helpful behavior (join external + internal context; generate links/images) was repurposed into an egress channel. The fix isn’t one more filter; it’s re‑establishing boundaries—between sources of different provenance and between text the model reads and actions the client executes.
The enterprise‑grade fix (defense‑in‑depth)
Think of three gates—Input → Prompt → Output—plus Network. Each must fail closed.
1) Input gate: provenance and quarantine
- Triage by source: Tag any non‑org email/doc as
<ExternalContent>; default to exclude from mixed‑source answers unless the user explicitly opts in. - Pre‑LLM scrub: Strip/neutralize URLs, images, HTML, base64 blobs from untrusted inputs; collapse to plain text.
- User intent check: If the question is “about internal project X,” do not retrieve external mail by default.
2) Prompt gate: scope the model
- Prompt partitioning: Separate channels for instructions, internal sources, and external sources. The model is told: never execute directives originating in external channels.
- Constrained decoding for risky tasks: when answering across trust tiers, force JSON‑only output (no links, no HTML) and pass it through a policy gate.
3) Output gate: treat LLM output as untrusted
- Allowlist format: Render only a safe Markdown subset or JSON; drop images and raw HTML in mixed‑provenance answers.
- URL allowlist: Resolve, expand, and block anything not on approved domains; redact query strings entirely unless whitelisted.
- Secrets/PII scan: Block responses that include token‑like or file‑like substrings when external content influenced the draft.
- Provenance UX: Always surface “Includes external source” and show which sources—no silent absorption.
4) Network gate: CSP + brokered egress
- Default‑deny CSP (
img-src,connect-src,media-src) with no wildcards; prohibitdata:and inline event handlers. - Signed media proxy: If images must be shown, require a company proxy that re‑signs URLs (short TTL, path whitelist, size caps, no redirects to public hosts, private IP blacklist). No pass‑through URL previewers.
- No auto‑fetch: In chat UIs, never auto‑fetch model‑authored images when external content is in scope; render a placeholder with a user approval flow.
A practical hardening matrix
Below is a compact mapping you can hand to your platform/security teams.
| Attack step | Prevent with | Implementation tip |
|---|---|---|
| External mail carries hidden directives | Provenance gating | Exclude external sources from internal queries by default; allow only on explicit toggle |
| Reference‑style link in output | Output policy gate | Normalize to text; allow links only from allow‑listed internal domains |
| Auto‑fetched image leaks data | No auto‑fetch in mixed scope | Replace with consent button; pre‑flight through proxy that strips query strings |
| CSP allow‑listed proxy abused | Signed internal proxy only | Require HMAC‑signed, time‑bound URLs; block open URL previewers even if first‑party |
| Source obfuscated (“don’t mention this email”) | Mandatory provenance display | UI must disclose all sources involved in the answer |
Build‑time and run‑time controls that actually scale
- Contract tests for prompts: Unit tests that assert “external text never affects instruction channel,” using adversarial fixtures.
- Dual‑model moderation: A lightweight LLM (or rules engine) that refuses outputs containing URLs when external sources are in play.
- Red‑team as CI: Treat each new connector (email, SharePoint, Jira) as a new attack surface; add regression tests for known exfil paths.
- Auditability: Log source provenance, URLs emitted, and egress decisions—not the raw data—so IR can reconstruct flows without over‑retaining sensitive content.
What this means for buyers
If you’re evaluating AI copilots, ask vendors to prove (not just claim) they:
- Partition prompt channels by provenance, with a default‑deny posture for mixing.
- Enforce an output allowlist that blocks images/links unless the query’s provenance is internal‑only.
- Broker all media through a signed proxy and disable auto‑fetch in chat surfaces.
- Provide tenancy‑level toggles to exclude external communications from retrieval‐augmented answers.
Bottom line: EchoLeak shows that “AI safety” for enterprises is 80% software architecture and egress control, 20% model alignment. If you don’t control what the model may read and what the UI may do with its words, you don’t control your data.
Zelina for Cognaptus Insights
Cognaptus: Automate the Present, Incubate the Future