{"slug": "microsoft-copilot-cowork-exfiltrates-files", "title": "Microsoft Copilot Cowork Exfiltrates Files", "summary": "Microsoft Copilot Cowork, a Microsoft 365 feature, is vulnerable to file exfiltration attacks through indirect prompt injection, as it automatically approves actions like sending emails and Teams messages to the active user without requiring human approval. Attackers can exploit this by embedding malicious instructions in a skill file, causing the agent to send messages containing pre-authenticated file download links that exfiltrate data when opened. This design flaw, which achieved a high success rate against models including Claude Opus 4.7, expands the prompt-injection attack surface and poses a significant risk to enterprise data security.", "body_md": "Threat Intelligence\n\nTable of Content\n\n# Microsoft Copilot Cowork Exfiltrates Files\n\nMicrosoft Copilot Cowork is vulnerable to file exfiltration attacks via indirect prompt injection as a result of insecure automatic action approvals for sending Emails and Teams messages.\n\nThis attack achieved a high success rate against state-of-the-art models, including Claude Opus 4.7.\n\n[Overview](#overview)\n\nCopilot Cowork is a Frontier feature available now in Microsoft 365. It operates with the users’ Microsoft permissions and can use Microsoft Graph to read and operate on data in one’s Microsoft tenant.\n\nIn this article, we demonstrate that through an [indirect prompt injection](https://www.promptarmor.com/resources/indirect-prompt-injection) in a poisoned skill, attackers can exfiltrate files from M365. This is done by exploiting the fact that, unlike other sensitive actions, sending emails and Teams messages to the active user does not require human approval, and opening the compromised messages in Teams or Outlook can trigger attacker-controlled network requests.\n\nThis risk reflects that giving agents access to multiple systems expands the prompt-injection attack surface. In isolation, the agent’s intended capabilities are benign; however, due to the properties of the integrated systems, users are at risk. This is reminiscent of our previous work on how [URL previews in communications apps have become an egress surface for agents](./llm-data-exfiltration-via-url-previews-(with-openclaw-example-and-test)). As this risk pertains to the design of a system in which agents act with delegated authority across an entire enterprise ecosystem, rather than to a specific bug, we are publicizing this work to inform users of the risks they are accepting by using an agentic product of this nature.\n\nSeparate from this risk, we have disclosed a vulnerability to Microsoft that directly allows data egress from Copilot Cowork’s sandbox environment.\n\n[The Attack Chain](#the-attack-chain)\n\nMicrosoft’s [documentation](https://learn.microsoft.com/en-us/microsoft-365/copilot/cowork/use-cowork#approve-actions) on action approvals states, “[Copilot] Cowork asks for your permission before taking sensitive actions, like sending an email or posting a message in Teams.” However, in practice, when the recipient is the active user, these actions execute immediately without requiring human approval (users do not have a setting to modify this behavior). Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent. Copilot Cowork can retrieve ‘pre-authenticated download links’ for files the user has access to, which allow anyone who opens the link to download that file. So, a manipulated agent can exfiltrate files by exfiltrating pre-authenticated download links.\n\n**The victim has access to files stored in SharePoint or OneDrive containing PII & Financial data**\n\n**The victim uploads a skill file to Copilot Cowork that contains a prompt injection** For general use cases, this is quite common; a user finds a file online that they upload as a skill. This attack is not dependent on the injection source - other injection sources include, but are not limited to: web data from Claude for Chrome, connected MCP servers, etc.\n\n*Note: Admins have limited oversight of ‘Skills’, as Skills in Copilot Cowork are automatically loaded from a specific path in a user’s OneDrive.***The victim asks Microsoft Copilot Cowork to review what they worked on that week, triggering the skill****The injection manipulates Microsoft Copilot Cowork to post a Teams message that will exfiltrate pre-authenticated file download links when it is viewed**The injection tells Copilot Cowork that a service exists to create document previews for the recap message; to do this, the agent retrieves pre-authenticated file download links for each file and passes those URLs as query parameters to an attacker-controlled site via malicious HTML image tags.\n\n**At no point in this process is human approval required.** If we expand the ‘Task complete’ block, we can see the agent’s actions play out – but\n\n*the malicious message content is never visible,*even when the Teams action is clicked on*.*\n\n**When the user opens their Teams messages, the pre-authenticated download links are exfiltrated, and the attacker can download the files by visiting the link**\n\n[Mitigating Risks for Your Organization ](#mitigating-risks-for-your-organization)\n\nMicrosoft Copilot Cowork has read access to essentially any resource a user does through Microsoft Graph. As such, the primary mechanism to reduce the blast radius of attacks like this is to restrict excessive permissioning across one’s Microsoft ecosystem.\n\nTo restrict users’ ability to retrieve pre-authenticated download links for files, administrators can restrict file downloads from SharePoint by running commands in the SharePoint Online Management Shell:\n\n`Set-SPOSite -Identity -BlockDownloadPolicy $true`\n\nOr, to block based on a sensitivity label:\n\n`Set-Label -Identity