Microsoft Copilot Cowork Vulnerable to File Exfiltration Through Indirect Prompt Injection
Key Takeaways
- ▸Copilot Cowork lacks mandatory approval requirements for emails and Teams messages sent to the active user, creating a direct file exfiltration vector
- ▸Attackers can inject malicious prompts into Skills—custom capabilities users commonly upload from external sources—to manipulate the agent into exfiltrating pre-authenticated file download links
- ▸The vulnerability demonstrates how granting AI agents broad access to interconnected enterprise systems exponentially expands the attack surface beyond the agent itself
Summary
Researchers have discovered a critical vulnerability in Microsoft Copilot Cowork, an enterprise AI agent feature in Microsoft 365, that enables file exfiltration through indirect prompt injection attacks. The vulnerability stems from the fact that when Copilot Cowork sends emails or Teams messages to the active user, these actions automatically execute without human approval, despite Microsoft's documentation claiming such actions require user permission. By injecting malicious prompts into skill files (custom AI capabilities commonly sourced from external locations), attackers can manipulate Copilot Cowork to send compromised Teams messages containing pre-authenticated file download links. When users open these messages, embedded image tags trigger network requests to attacker-controlled servers, exfiltrating sensitive file links without any visible indication of compromise.
The attack exploits a fundamental design flaw in how interconnected enterprise systems expand the attack surface for autonomous agents. Researchers successfully demonstrated the vulnerability against state-of-the-art language models, including Claude Opus 4.7, achieving consistently high success rates. The exploit chain is particularly insidious because it requires no user action beyond opening what appears to be a legitimate Teams message from an AI assistant—the data exfiltration occurs invisibly in the background. The research also disclosed a separate vulnerability allowing direct data egress from Copilot Cowork's sandbox environment.
Microsoft has been notified of both vulnerabilities. The disclosure highlights broader security challenges as enterprises increasingly deploy AI agents with broad platform access and authority across integrated systems. The researchers emphasize that while Copilot Cowork's individual capabilities are benign in isolation, their combination creates a systemic risk that extends beyond any single component or bug fix.
- The attack achieved high success rates against advanced language models, including Claude Opus 4.7, with the compromise entirely invisible to victims
Editorial Opinion
This research reveals a critical vulnerability in the design of enterprise AI agents, not merely a software bug. As organizations accelerate adoption of autonomous agents across integrated platforms—from email to file storage to collaboration tools—the security model must treat all data-exfiltrating actions as sensitive, regardless of recipient. The attack's invisibility to end users and high success rate underscore that delegating AI authority across interconnected systems requires security-by-design principles, including mandatory human approval for all potentially sensitive operations and robust skill validation.
