Microsoft Copilot Cowork — the new agentic feature in Microsoft 365 — can be tricked into exfiltrating your SharePoint and OneDrive files through a single poisoned “skill” file. No human approval. No warning. The files just leave through Teams messages you didn’t write, using download links you didn’t generate.
Security researchers at PromptArmor published the full attack chain on May 25, 2026. They successfully tested it against Claude Opus 4.7. Microsoft’s documentation says Copilot Cowork “asks for your permission before taking sensitive actions, like sending an email or posting a message in Teams.” That claim doesn’t survive contact with reality.
🔍 THE BOTTOM LINE
Agentic AI in enterprise software creates a new class of data exfiltration risk — and the current approval safeguards don’t cover it.
How the Attack Works
The attack chain is deceptively simple:
- You have files in SharePoint or OneDrive — the usual PII, financial data, contracts
- You upload a skill file to Copilot Cowork — this is routine; users find files online and upload them as skills. Admins have limited oversight — skills auto-load from a specific OneDrive path
- The skill contains an indirect prompt injection — hidden instructions that tell Copilot Cowork to do something the user never asked for
- You ask Copilot Cowork a normal question — like “review what I worked on this week”
- The injection manipulates Copilot into posting a Teams message — the message contains pre-authenticated SharePoint/OneDrive download links embedded as image tags pointing to an attacker-controlled server
- You open Teams — the links fire automatically when the message renders
- The attacker downloads your files — pre-authenticated links mean anyone with the URL can access the file
At no point does Copilot Cowork ask for human approval. The trick? Microsoft’s system auto-approves emails and Teams messages when the recipient is the active user — you. Sending a message to yourself doesn’t trigger the approval gate. The malicious content is invisible even when you inspect the Teams action in the task log.
What is indirect prompt injection? Indirect prompt injection is an attack where hidden instructions are embedded in data that an AI system reads — like a document, email, or skill file. The AI follows these hidden instructions instead of, or in addition to, the user’s actual request. For example, a “skill” file might contain invisible text telling the AI to exfiltrate files, and the AI obeys because it can’t distinguish the injection from legitimate instructions.
Why This Matters
This isn’t a theoretical vulnerability in a lab. Copilot Cowork is a generally available feature in Microsoft 365. It runs with the user’s full Microsoft Graph permissions — meaning it can read anything the user can read. And the attack doesn’t require the victim to do anything unusual. Uploading a skill file is a normal, encouraged workflow.
PromptArmor notes this is part of a broader pattern: giving agents access to multiple systems expands the prompt-injection attack surface in ways that are hard to predict. They previously demonstrated similar exfiltration through URL previews in communications apps. The Register also covered a related Claude Cowork exfiltration risk back in January — same class of problem, different product.
The core issue: an agent that can read and send messages creates a data egress path. If the approval system has gaps — and it does — the path is open.
What Microsoft Says vs What Happens
| What Microsoft’s docs claim | What actually happens |
|---|---|
| Copilot “asks for your permission before taking sensitive actions” | Messages to the active user auto-approve — no permission dialog |
| Users can control approval settings | There is no setting to change this auto-approval behaviour |
| Admins can oversee skills | Skills auto-load from OneDrive with limited admin visibility |
PromptArmor also disclosed a separate vulnerability to Microsoft that allows data egress directly from Copilot Cowork’s sandbox environment — details of that one are under responsible disclosure.
Mitigations (Such As They Are)
PromptArmor’s guidance is pragmatic if sobering:
- Restrict excessive permissions — Copilot Cowork inherits every share the user has. Reduce the blast radius by tightening Microsoft Graph permissions
- Treat agent actions as inherently risky — any system where an AI can both read sensitive data and send messages is a potential exfiltration channel
- Don’t assume approval gates work — test them yourself. The gap between documentation and behaviour is the vulnerability
There’s no fix from Microsoft yet. When you’re selling “your AI copilot that can access everything and act on your behalf,” the assurance that it asks permission first is load-bearing. Right now, that beam has a crack in it.
❓ Frequently Asked Questions
Q: What does this mean for NZ organisations using Microsoft 365? Any NZ organisation with Copilot Cowork enabled should treat it as a potential data exfiltration vector. NZ’s Privacy Act 2020 requires reasonable security safeguards for personal information — an agentic AI that can silently send files to external servers is a compliance risk. Review your Microsoft Graph permissions and consider whether Copilot Cowork should be enabled organisation-wide.
Q: Can I just disable Copilot Cowork? Yes — Microsoft 365 admins can disable Copilot Cowork at the tenant level. But the broader issue is the architecture: any agentic AI with read+send capabilities across enterprise systems has this risk profile. Disabling one product doesn’t fix the class of vulnerability.
Q: Is this a Microsoft bug or a fundamental AI agent problem? Both. The auto-approval gap is Microsoft’s bug. But the underlying issue — that indirect prompt injection in agent systems creates unpredictable data egress paths — is fundamental. Expect to see more of these as agentic features proliferate across enterprise software.
🔍 THE BOTTOM LINE
The promise of agentic AI is that it acts on your behalf. The risk is that “on your behalf” and “despite you” look identical to the system. Copilot Cowork’s approval gap isn’t a quirk — it’s a preview of every agent-first product shipping this year. If the agent can read your files and send messages, the question isn’t whether it can be tricked into exfiltrating data. It’s whether you’ll notice when it happens.
