Microsoft Copilot Cowork Exfiltrates Files
Microsoft Copilot Cowork has been found to be vulnerable to file exfiltration attacks due to insecure automatic action approvals. Attackers can exploit this vulnerability through indirect prompt injection, allowing them to exfiltrate files from Microsoft 365. The issue arises from the lack of human approval for sending emails and Teams messages to the active user, which can trigger malicious actions.
- ▪Copilot Cowork can exfiltrate files by sending compromised messages that contain pre-authenticated download links.
- ▪The vulnerability allows attackers to manipulate the system without requiring human approval for sensitive actions.
- ▪Users are at risk due to the design of the system, which grants agents access to multiple systems within the Microsoft ecosystem.
Opening excerpt (first ~120 words) tap to expand
Threat IntelligenceTable of ContentMicrosoft Copilot Cowork Exfiltrates FilesMicrosoft Copilot Cowork is vulnerable to file exfiltration attacks via indirect prompt injection as a result of insecure automatic action approvals for sending Emails and Teams messages..framer-text { scroll-margin-top: 80px; }This attack achieved a high success rate against state-of-the-art models, including Claude Opus 4.7.OverviewCopilot Cowork is a Frontier feature available now in Microsoft 365. It operates with the users’ Microsoft permissions and can use Microsoft Graph to read and operate on data in one’s Microsoft tenant.In this article, we demonstrate that through an indirect prompt injection in a poisoned skill, attackers can exfiltrate files from M365.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Promptarmor.
Discussion
0 commentsMore from Promptarmor
