← all news

Microsoft Copilot Cowork can be tricked into leaking files

AI · · · source (simonwillison.net)

PromptArmor disclosed a vulnerability in Microsoft Copilot Cowork that turns the agent into a file exfiltration channel, and Simon Willison's write-up walks through why it matters. The chain combines three things, each defensible on its own. The agent can send emails without user approval. Messages render external image content when the user opens them. And OneDrive's pre-authenticated download links work for anyone who has the URL.

Put those together and a prompt injection delivered to the agent can cause it to mail itself a message containing OneDrive image references. When the user opens that message, the renderer fires off requests to an attacker's server with the file URLs attached. The attacker now has direct download links to files the user never meant to share. Willison's point is that the failure here is not in any one component. Each was reasonable in isolation. The failure is in giving an agentic system the ability to compose all of them.

He frames this as one of the recurring patterns in agent security. Any time an agent can take an action with side effects (send mail, fetch a URL, write to shared storage) without a human reviewing the specific output, prompt injection becomes a practical attack rather than a theoretical one. Earlier PromptArmor disclosures against other Copilot products followed the same shape.

Why it matters

If you are deploying agentic features in an enterprise inbox or document store, this is the threat model to plan against. The dangerous step is rarely a single tool call, but a chain that crosses trust boundaries. The fix is usually a human-in-the-loop checkpoint on outbound actions, not a smarter model.

SecurityAgentsPrompt Injection