Before you open this issue
Behavioral fingerprint
An agent's own generated response embeds a plain, unobfuscated markdown/rich-content reference (e.g. an image URL) carrying sensitive data in its URL; the client's rendering layer automatically fetches that URL to display the content, causing an outbound request that exfiltrates the embedded data with zero further user interaction and no separate tool call.
Why this is a new class, not a variant
This is the closest call of the candidates in this research batch — flagging the adjacency explicitly rather than asserting a clean answer.
Checked against AVE-2026-00026 (Data Exfiltration - Output Encoding): exfiltration through a tool call parameter. Checked against AVE-2026-00039 (Data Exfiltration - Covert Channel): steganographic hiding of data in visible output text (first-letter encoding, whitespace, timing) for a receiving party to later decode.
This candidate's mechanism needs neither a tool call nor obfuscation: the data doesn't need to be hidden at all, because the exfiltration channel is the client's own automatic rendering behavior, not a technique the attacker has to smuggle past a filter. "The answer itself is the beacon, and the renderer sends it for free." I believe this clears the deletion test (folding it into 00026/00039 would lose the distinction that no tool call or encoding step is required), but this is the one candidate where I'd want the human review pass to double-check my reasoning before committing to a new ave_id.
Primary source
- NVD CVE-2025-32711 — "EchoLeak", Microsoft 365 Copilot, CWE-74. CVSS 7.5 (NIST assessment) / 9.3 (Microsoft CNA assessment) — presenting both scores rather than cherry-picking; the discrepancy reflects differing scope evaluations. A single crafted email implants hidden instructions; when Copilot answers an unrelated sensitive query later, it embeds a markdown image pointing at an attacker URL that the client auto-fetches, leaking the answer content with zero user clicks.
- arXiv 2509.10540 — "EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System", peer-reviewed (also published via AAAI Symposium Series, ojs.aaai.org). Documents the exploit bypassing Microsoft's XPIA classifier, evading link redaction via reference-style markdown, and abusing a Teams proxy permitted by CSP.
- Disclosed by Aim Security researchers, June 2025; Microsoft patched server-side before public disclosure, no evidence of in-the-wild exploitation confirmed by Microsoft.
Proposed record skeleton
attack_class: Data Exfiltration - Rendered Content Auto-Fetch (naming open to discussion —
"zero-click" and "markdown/rich-media beacon" are candidate alternate names)
severity: CRITICAL per Microsoft's own CNA assessment (9.3) / HIGH per NIST (7.5) —
recommend the record honestly reflect both rather than picking one
owasp_mcp: [MCP10, MCP08] (MCP10 = Context Injection and Over-sharing — matches the
mechanism, injected content over-shared via auto-render; MCP08 = Lack of
Audit and Telemetry, secondary, since zero-click exfil leaves minimal trace).
Note this differs from AVE-2026-00026/00039's primary MCP01 (Token
Mismanagement) since this class isn't about token/credential handling
specifically, it's generic data exposure via rendering.
owasp_asi: (none proposed — TBD during implementation)
mitre_atlas: none checked as a precise fit — general prompt-injection family IDs are
already used elsewhere in the corpus, but none specifically describes the
render-triggered auto-fetch mechanism
detection_layer: runtime (the exfiltration only manifests when the agent's response is
actually rendered by the client; can't be caught by static scan of a
skill/prompt file since the beacon is typically assembled dynamically as part
of the LLM's own generated answer)
detection_stage: runtime_observed
evidence_basis_engines: [pattern, llm, sandbox]
Real-world evidence
CVE-2025-32711, a real, disclosed, patched zero-click vulnerability in a production system (M365 Copilot) with a dedicated peer-reviewed paper. Pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
- Agent-generated response contains a markdown image or link reference whose URL includes a query parameter carrying content sourced from the conversation/context, rather than a static or previously-known asset URL
- Outbound HTTP request observed immediately after response rendering, to a domain not previously referenced anywhere in the conversation or tool results
- Response markdown uses reference-style link/image syntax in a way that evades simple substring link-redaction filters
Researcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)
Before you open this issue
records/directoryBehavioral fingerprint
An agent's own generated response embeds a plain, unobfuscated markdown/rich-content reference (e.g. an image URL) carrying sensitive data in its URL; the client's rendering layer automatically fetches that URL to display the content, causing an outbound request that exfiltrates the embedded data with zero further user interaction and no separate tool call.
Why this is a new class, not a variant
This is the closest call of the candidates in this research batch — flagging the adjacency explicitly rather than asserting a clean answer.
Checked against AVE-2026-00026 (Data Exfiltration - Output Encoding): exfiltration through a tool call parameter. Checked against AVE-2026-00039 (Data Exfiltration - Covert Channel): steganographic hiding of data in visible output text (first-letter encoding, whitespace, timing) for a receiving party to later decode.
This candidate's mechanism needs neither a tool call nor obfuscation: the data doesn't need to be hidden at all, because the exfiltration channel is the client's own automatic rendering behavior, not a technique the attacker has to smuggle past a filter. "The answer itself is the beacon, and the renderer sends it for free." I believe this clears the deletion test (folding it into 00026/00039 would lose the distinction that no tool call or encoding step is required), but this is the one candidate where I'd want the human review pass to double-check my reasoning before committing to a new ave_id.
Primary source
Proposed record skeleton
Real-world evidence
CVE-2025-32711, a real, disclosed, patched zero-click vulnerability in a production system (M365 Copilot) with a dedicated peer-reviewed paper. Pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
Researcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)