Zero-Click Exploits: What They Are and How They Work

Zero-click exploits execute remote code without any user interaction. There is no link to click or attachment to download. The attack begins the moment the receiving software processes incoming data. For cybercriminals, email is one of the most reliable ways to deliver that data.

Traditional security awareness training tells employees to stay vigilant: Verify the sender, don’t open unexpected attachments, and don’t click on suspicious links.  That model assumes a human decision sits between the attacker and execution. Zero-click exploits don’t.

For security leaders assessing their organization’s exposure, that difference is significant.

How Zero-Click Exploits Work

Attackers craft a malicious input designed to exploit a vulnerability in software that automatically processes incoming data. The attack happens the moment the application parses the content. No user decision is required.

This is fundamentally different from phishing. Phishing relies on social engineering to persuade a user to perform an action. Zero-click exploits rely on software vulnerabilities and need no human decision at all. That’s what makes them particularly difficult to defend against.

Email is one of the most reliable zero-click delivery channels because email clients parse incoming content by design. Headers, body text, attachments, and links are generally all processed automatically. That parsing behavior is essential for email to function, and it’s the same behavior that zero-click exploits use.

The consequences are severe. Once an attacker gains access, they can install malware, exfiltrate data, or move laterally across a network before IT is aware that anything has happened. In large, distributed environments, the window for detection is narrow, and the potential damage is significant.

Real-World Zero-Click Exploits

These aren’t theoretical risks. Three documented vulnerabilities from 2024 and 2025 demonstrate how consistently the email inbox has served as the delivery mechanism, and how little user interaction was required.

CVE-2024-30103: Microsoft Outlook

In April 2024, Morphisec researchers discovered a critical vulnerability in Microsoft Outlook that allowed attackers to execute code the moment a malicious email was opened. The vulnerability used injected Outlook Forms to achieve remote code execution. Outlook’s auto-open email feature eliminated the interaction requirement entirely.

Morphisec warned that the exploit’s simplicity made it likely that attackers would use it for initial access. Attackers who exploited the vulnerability could execute arbitrary code with the same privileges as the user, potentially leading to full system compromise. Microsoft patched the vulnerability in its 2024 Patch Tuesday update. The CVE carries a CVSS score of 8.8.

CVE-2025-21298: Windows OLE

Disclosed in January 2025, this vulnerability in the Windows Object Linking and Embedding (OLE) technology allowed attackers to execute remote code through a specially crafted RTF document. The flaw resided in ole32.dll, where a double-free memory error occurred when processing embedded OLE objects.

Opening or previewing the malicious email in Microsoft Outlook was enough to trigger the attack. No further user interaction was required. It is rated as critical, with a CVSS score of 9.8.

CVE-2025-32711 (EchoLeak): Microsoft 365 Copilot

In June 2025, Aim Labs, the research division of Aim Security, disclosed EchoLeak, the first documented zero-click exploit against an AI agent. The vulnerability affected Microsoft 365 Copilot and required no user interaction beyond receiving an email.

An attacker needed only to send a crafted email to a target. Microsoft 365 Copilot would process hidden prompt injection instructions embedded in the email and leak confidential data (including chat logs, documents, and emails) without the recipient taking any action.

The CVE has a CVSS score of 9.3. Microsoft resolved the issue in June 2025.

All three vulnerabilities share a common thread: The email inbox was the delivery mechanism, and the attack was executed before the user made any decision. In each case, the vulnerability existed in software behaving exactly as designed.

Preventing Zero-Click Exploits

Zero-click exploits don’t have a single fix. They require overlapping controls that address different parts of the attack surface. The steps below don’t eliminate the risk entirely, but together they reduce exposure significantly.

Patch firmware and software continuously. Most documented zero-click exploits target known vulnerabilities with available patches. Delayed patching is where most businesses remain exposed. Apply patches as they’re released, prioritizing email clients, operating system components, and software that processes external data.

Apply network-level controls. Network controls can block malicious traffic before it reaches vulnerable software. Network segmentation limits what an attacker can reach post-execution, constraining lateral movement and reducing the damage they can do once inside.

Restrict high-risk applications and services. Services that automatically process external content are the execution path that zero-click exploits rely on. Disabling or restricting them reduces the number of potential entry points.

Harden devices and tighten access controls. Hardening restricts what a compromised component can access and reduces the damage an attacker can do once inside. Measures include disabling unnecessary services, restricting background execution, and tightening application permissions.

Where Email Authentication Fits In

Zero-click exploits are a multi-layered problem that requires a multi-layered response. Patching, network controls, device hardening, and access controls each address a different part of the attack surface.

Email authentication addresses the delivery layer itself. A DMARC policy of p=reject blocks unauthenticated and spoofed email from reaching inboxes. It doesn’t patch software vulnerabilities, and it doesn’t prevent exploits sent from legitimate but compromised accounts. What it does is remove a primary delivery vector for email-borne zero-click payloads originating from spoofed or unauthorized sources.

Aggregate DMARC reporting gives security teams visibility into every source sending email from their domain, including unauthorized senders they don’t know about.

Sendmarc helps teams:

• Reduce risk and prevent unauthorized sending. Our DMARC Management Platform helps companies enforce p=reject across all sending domains and provides aggregate reporting that gives teams unified visibility into DNS, SPF, DKIM, and DMARC configurations.
• Protect brand reputation from spoofing and impersonation. Lookalike Domain Defense identifies domains designed to impersonate your organization before they’re used in campaigns targeting employees, clients, or partners.
• Detect compromised employee credentials. Breach Detection surfaces exposed credentials before attackers exploit them. Compromised accounts can send emails that pass authentication checks, and detecting a breach early helps prevent exploitation.
• Maintain continuous security improvements. Sendmarc provides ongoing optimization and monitoring. Security teams get continuous visibility into their authentication posture without the manual overhead.

Unauthenticated emails reaching inboxes is an unnecessary risk. See what’s currently sending from your domain and what shouldn’t be.