Skip to content
AM-045
← Back to ledger
Holding·last review10 Jun 2026

EchoLeak (CVE-2025-32711, disclosed by Aim Security in June 2025 against Microsoft 365 Copilot) is the canonical example of a class of attacks rather than a single vulnerability: cross-agent prompt injection in which a malicious payload travels through ordinary content channels (an email, a shared document, a calendar invite, a tool response) into one or more agents' context windows, where it manipulates the agents into actions the deploying enterprise did not authorise, with no user interaction required. The attack class is structurally inherent to any architecture in which an LLM-based agent ingests untrusted content and has tool surfaces capable of exfiltration or action; closing the class requires architectural separation between content-ingest and tool-execution privileges, not point-fixes against specific exploit chains. Enterprises in 2026 operating multiple agents that share context, share memory, or hand off tasks to each other are structurally exposed to the EchoLeak class until the architectural separation is implemented.

Re-review 10 Jun 2026: all load-bearing facts verified in extracted source text. NVD description verbatim: 'Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network' — CVSS vector UI:N (no user interaction), MSRC severity 9.3 Critical, published 11 Jun 2025. Aim Labs discovery, zero-click framing, and 'LLM Scope Violation' class language confirmed across the disclosure corpus. Live Aim Security URL now 301-redirects to catonetworks.com (Cato Networks acquired Aim); the Wayback snapshot in sourceArchives is the durable pointer for the original blogpost. EchoLeak / cross-agent prompt-injection class analysis. 60-day review cadence given the active research front. Watches: (1) new CVEs in the cross-agent prompt-injection class (multiple research groups are actively probing major agent platforms; expect 2-4 additional public CVEs in 2026), (2) vendor-side architectural responses (Microsoft's post-EchoLeak hardening, Anthropic's Managed Agents context-isolation primitives, OpenAI's Operator sandboxing), (3) regulator response under EU AI Act Article 15 (cybersecurity provisions) which is likely to formalise the cross-agent prompt-injection class as a foreseeable risk by Q4 2026.

Published
26 Apr 2026
Last reviewed
10 Jun 2026
Next review
+58d· 9 Aug 2026
Source piece
EchoLeak and the cross-agent prompt-injection classRead piece →
Primary sources
Permalink/holding/AM-045/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-045's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: EchoLeak (CVE-2025-32711, disclosed by Aim Security in June 2025 against Microsoft 365 Copilot) is the canonical example of a class of attacks rather than a single vulnerability: cross-agent prompt injection in which a malicious payload travels through ordinary content channels (an email, a shared document, a calendar invite, a tool response) into one or more agents' context windows, where it manipulates the agents into actions the deploying enterprise did not authorise, with no user interaction required. The attack class is structurally inherent to any architecture in which an LLM-based agent ingests untrusted content and has tool surfaces capable of exfiltration or action; closing the class requires architectural separation between content-ingest and tool-execution privileges, not point-fixes against specific exploit chains. Enterprises in 2026 operating multiple agents that share context, share memory, or hand off tasks to each other are structurally exposed to the EchoLeak class until the architectural separation is implemented.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-132 · Partial · 10 Jun 2026

    One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.

  • AM-129 · Partial · 10 Jun 2026

    One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.

  • AM-201 · Partial · 10 Jun 2026

    One of four named datasets unanchored on review. The claim text names 'Stanford DEL's 12% clearing 300%+ ROI vs 88% at or below break-even' as one of four independent datasets. Full-text verification on 10 Jun 2026 found the Stanford DEL Enterprise AI Playbook contains no such distribution — it studies 51 successful deployments by design and carries no ROI-realisation failure data (full finding at AM-029, correction of 10 Jun 2026). The McKinsey (23% scaling, 17% EBIT-attribution), Gartner (28% fully paying off), and MIT NANDA (95% no measurable P&L impact) datasets verify; the claim's spine stands on three datasets rather than four. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric from an ROI distribution. Status Up -> Partial.

Reviews coming up in Reporting

  • AM-063 · Holding · next +15d (27 Jun 2026)

    AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…

  • AM-061 · Holding · next +15d (27 Jun 2026)

    Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…

  • AM-003 · Partial · next +15d (27 Jun 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…