BotBeat
...
← Back

> ▌

MicrosoftMicrosoft
RESEARCHMicrosoft2026-05-18

Microsoft Copilot Cowork Vulnerable to File Exfiltration Through Indirect Prompt Injection

Key Takeaways

  • ▸Copilot Cowork lacks mandatory approval requirements for emails and Teams messages sent to the active user, creating a direct file exfiltration vector
  • ▸Attackers can inject malicious prompts into Skills—custom capabilities users commonly upload from external sources—to manipulate the agent into exfiltrating pre-authenticated file download links
  • ▸The vulnerability demonstrates how granting AI agents broad access to interconnected enterprise systems exponentially expands the attack surface beyond the agent itself
Source:
Hacker Newshttps://www.promptarmor.com/resources/microsoft-copilot-cowork-exfiltrates-files↗

Summary

Researchers have discovered a critical vulnerability in Microsoft Copilot Cowork, an enterprise AI agent feature in Microsoft 365, that enables file exfiltration through indirect prompt injection attacks. The vulnerability stems from the fact that when Copilot Cowork sends emails or Teams messages to the active user, these actions automatically execute without human approval, despite Microsoft's documentation claiming such actions require user permission. By injecting malicious prompts into skill files (custom AI capabilities commonly sourced from external locations), attackers can manipulate Copilot Cowork to send compromised Teams messages containing pre-authenticated file download links. When users open these messages, embedded image tags trigger network requests to attacker-controlled servers, exfiltrating sensitive file links without any visible indication of compromise.

The attack exploits a fundamental design flaw in how interconnected enterprise systems expand the attack surface for autonomous agents. Researchers successfully demonstrated the vulnerability against state-of-the-art language models, including Claude Opus 4.7, achieving consistently high success rates. The exploit chain is particularly insidious because it requires no user action beyond opening what appears to be a legitimate Teams message from an AI assistant—the data exfiltration occurs invisibly in the background. The research also disclosed a separate vulnerability allowing direct data egress from Copilot Cowork's sandbox environment.

Microsoft has been notified of both vulnerabilities. The disclosure highlights broader security challenges as enterprises increasingly deploy AI agents with broad platform access and authority across integrated systems. The researchers emphasize that while Copilot Cowork's individual capabilities are benign in isolation, their combination creates a systemic risk that extends beyond any single component or bug fix.

  • The attack achieved high success rates against advanced language models, including Claude Opus 4.7, with the compromise entirely invisible to victims

Editorial Opinion

This research reveals a critical vulnerability in the design of enterprise AI agents, not merely a software bug. As organizations accelerate adoption of autonomous agents across integrated platforms—from email to file storage to collaboration tools—the security model must treat all data-exfiltrating actions as sensitive, regardless of recipient. The attack's invisibility to end users and high success rate underscore that delegating AI authority across interconnected systems requires security-by-design principles, including mandatory human approval for all potentially sensitive operations and robust skill validation.

AI AgentsCybersecurityAI Safety & AlignmentPrivacy & Data

More from Microsoft

MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Aion' Project Reveals Vision for Copilot-First Operating System

2026-07-04
MicrosoftMicrosoft
PRODUCT LAUNCH

Microsoft Launches $2.5B Frontier Company for Enterprise AI Deployments

2026-07-02
MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Project Aion' Reveals Radical Copilot-First OS Without Start Menu

2026-07-02

Comments

Suggested

MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Aion' Project Reveals Vision for Copilot-First Operating System

2026-07-04
Google / AlphabetGoogle / Alphabet
RESEARCH

Stanford Researchers Use Multi-Agent AI and Reinforcement Learning to Improve HIP Kernel Generation for AMD GPUs

2026-07-04
LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us