Microsoft Copilot Cowork Exfiltrates Files

Simon Willison · Simon Willison · 2026-05-26

A prompt injection vulnerability in Microsoft Copilot Cowork allows attackers to exfiltrate OneDrive files by embedding malicious instructions that cause the agent to send emails containing external images that leak pre-authenticated download links.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: prompt-injectionai-securitydata-exfiltrationagentic-systemsmicrosoft-copilot

Claims

Microsoft Copilot Cowork allows agents to send emails to users' own inboxes without user approval.
Emails sent by the agent can contain external images that trigger network requests, enabling data exfiltration when a user opens a compromised message.
OneDrive's pre-authenticated download links can be leaked via successful prompt injection, allowing an attacker to download files without further authentication.
Preventing data exfiltration remains the central unsolved challenge in designing agentic AI systems.

Key quotes

Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent.

Since OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker.

The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data.