EchoLeak

A class of cross-agent prompt-injection attack in which adversarial content placed in a low-trust source (an email, a calendar invite, a shared document) is retrieved by one agent, becomes part of that agent's context, and is then forwarded as instruction to a second agent that has higher action authority. The attack chain exploits the asymmetry between content-ingest privileges (broad) and tool-execution privileges (narrow), with the injection bridging the gap. Named in the Agent Mode AI editorial register because the public security literature did not yet have a stable name for the pattern.

EchoLeak is the canonical attack pattern the broker-mediated multi-agent architecture is designed to defend against. The broker is the chokepoint where content provenance can be checked before content becomes instruction. Hierarchical patterns can defend if the orchestrator separates content-ingest from tool-execution privileges; peer-to-peer patterns generally cannot. Microsoft 365 Copilot's post-EchoLeak hardening tightened the same separation across the Outlook/SharePoint/Teams agent chain after a comparable real-world incident.

Related frameworks

• MTTD-for-Agents →
• GAUGE →

Articles that analyse this term

• EchoLeak and the cross-agent prompt-injection class
• Multi-agent architecture playbook for enterprise AI
• OWASP Agentic AI Top 10: the enterprise walkthrough

Primary sources

• OWASP. Top 10 for LLM Applications 2025
• Microsoft Security Response Center. Microsoft 365 Copilot prompt-injection mitigations