~50โ84%. A zero-click exploit hit Microsoft 365 Copilot in June 2025 (CVE-2025-32711, CVSS 9.3): one crafted email exfiltrated data from OneDrive and SharePoint with no user interaction. No antivirus caught it.