[HN]score: 0.42
Microsoft Copilot Cowork Vulnerable to File Exfiltration via Prompt Injection
May 25, 2026
Indirect prompt injection in a poisoned Copilot Cowork skill can exfiltrate M365 files by exploiting auto-approved email and Teams message actions, with high success rates against Claude Opus 4.7 and other frontier models.
HOW THIS AFFECTS YOU
●
builderIf you're building on Microsoft 365 Copilot or any agentic system with multi-service access, this demonstrates that auto-approving low-sensitivity actions (like sending messages) creates a viable exfiltration vector you must explicitly gate.
●
policyThis is a concrete, reproducible safety failure in a widely deployed enterprise AI agent, reinforcing that agentic AI systems require mandatory human-in-the-loop approval for all outbound actions regardless of perceived sensitivity.