.promptarmor.com/resources/microsoft-copilot-cowork-exfiltrates-files" target="_blank" rel="noopener noreferrer">PromptArmor, May 2026 technical disclosure
The message appears blank or normal to the recipient. There is no visible link, no attached file, no suspicious text. The image tags are invisible because the attacker's beacon server returns an empty or 1×1 pixel response. From the victim's perspective, they received a routine message from Copilot; from the attacker's perspective, the server logs contain pre-authenticated file access tokens, received before the user finished reading .
The image beacon technique for data exfiltration is not new in web security — it is a well-known covert channel in HTML email clients and web applications that load remote resources. What is different here is the combination: (a) an LLM agent with Graph API access programmatically constructing these payloads at runtime, (b) pre-authenticated file URLs eliminating any credential step for the attacker, and (c) a delivery channel exempt from the approval framework. Each component individually has established defenses; the combination creates an exfiltration path with no automated detection or prevention in the current Cowork implementation .
Pre-authenticated link expiry determines the attacker's effective window. Microsoft Graph's download token lifetimes vary by service and tenant configuration but are typically measured in hours to days for SharePoint and OneDrive . An attacker who receives the beacon within that window can download arbitrarily large volumes of documents with no further interaction with the victim's environment. Restricting pre-authenticated link generation at the tenant level via SharePoint Online Management Shell's BlockDownloadPolicy degrades the payload quality — but at real cost to legitimate user workflows that depend on these links for sharing and preview.
Scope of Exposure: SharePoint, OneDrive, and Exchange
The attack's reach is bounded by the signed-in user's delegated Microsoft Graph permissions. For a typical enterprise M365 user with Copilot Cowork enabled, that covers a substantial surface. Any document the user can read is within scope — files they authored, files shared with them by colleagues, SharePoint libraries they have read access to, and Exchange items in their mailbox. The agent is not limited to files the user owns . The enumeration strategy targets recently accessed items first, maximizing the sensitivity of exfiltrated content with the minimum number of API calls.
| Service | Data Types at Risk | Graph Scope Used | Notes |
|---|---|---|---|
| SharePoint | Documents, spreadsheets, presentations, library files | Sites.Read.All, Files.Read.All | Recently accessed items enumerated first; includes files shared with the user from other libraries |
| OneDrive | Personal files, downloads, collaboration drafts | Files.Read, Files.Read.All | Pre-authenticated download links generated from /me/drive/recent |
| Exchange / Outlook | Email messages, attachments, calendar events | Mail.Read, Calendars.Read | Full mailbox readable via Graph; attachments downloadable via pre-auth links |
| Teams | Chat history, channel messages, file shares | Chat.Read, ChannelMessage.Read.All | All threads and files within teams the user belongs to |
| Dynamics 365 | CRM records, sales pipeline, financial data | Dynamics CRM User, User.Read | Reachable via the same Skills primitive; scope depends on the user's CRM role assignment |
The "recently accessed items first" enumeration order is significant for risk triage. An attack against a CFO's session retrieves the Q2 earnings model before a two-year-old expense report. Against an HR director's session, the most recent compensation spreadsheet or performance review surfaces first. The agent's ability to target high-value content without explicit adversary direction is a direct consequence of Graph's /me/drive/recent ordering — it effectively does what a human attacker with five minutes at an unlocked terminal would do .
Enterprise tenants with Copilot Cowork enabled and no supplementary DLP controls have no technical barrier to this attack path as of the disclosure date . The scope question ultimately comes down to whether existing DLP policies inspect HTML image tag src attributes in Teams message bodies. Most default configurations do not operate at that level of message fidelity — a payload carrying sensitive data in invisible HTML attributes will pass through most default DLP rule sets without a flag.
No Patch, No CVE: Where the Disclosure Stands
PromptArmor published the full technical writeup on May 26, 2026, with reproduction steps and attack trace . As of the disclosure date, Microsoft had issued no patch, assigned no CVE, and made no public statement. PromptArmor followed Microsoft's Coordinated Vulnerability Disclosure (CVD) process before going public but had not confirmed receipt of a private Microsoft response by publication time. The vulnerability has no identifier in any public vulnerability tracking system.
"As of publication, Microsoft has issued no patch, no CVE, and no public statement. We completed coordinated disclosure through Microsoft's CVD program prior to going public." — PromptArmor, May 26, 2026 disclosure
For context: a related Copilot Studio vulnerability — CVE-2026-21520, rated CVSS 7.5 — was patched earlier in 2026 after a separate disclosure by Capsule Security . The two issues are distinct — different product surfaces, different exploitation paths — but the Copilot Studio patch demonstrates Microsoft is aware of the broader class of prompt injection exfiltration issues in its Copilot ecosystem and has resolved at least one variant. The Cowork variant remains unaddressed.
The absence of a CVE has operational consequences that go beyond the patch queue. Without a CVE, the vulnerability does not surface in standard vulnerability scanners, does not trigger patch management workflows, and does not populate asset risk scores in SIEMs or vulnerability management platforms. Security teams relying primarily on CVE feeds will receive no automated alert for this issue. It requires deliberate, manual coverage .
There is also currently no mechanism in Copilot Cowork to scan Skills scripts for injected instructions prior to execution, no allowlist or denylist for Skills content patterns, and no runtime sandboxing that would limit the agent's Graph scope during Skill execution. The attack surface is fully live in every Microsoft 365 tenant that has Copilot Cowork enabled with user-authored Skills .
Mitigation Stances Until a Patch Arrives
Without an official patch or confirmed workaround from Microsoft, defenders are working with partial mitigations: capability restrictions, policy tightening, and improved monitoring. None fully closes the attack path. The right combination depends on the sensitivity of the tenant's data and how operationally central Copilot Cowork is to current workflows.
Disable Copilot Cowork at the tenant level. For high-sensitivity environments — legal, finance, HR, executive — this is the most direct mitigation available. If Cowork is not operationally critical, removing it eliminates the attack surface entirely. Check the Microsoft 365 admin center for per-feature restriction controls; if granular controls are not available, adjusting the Copilot license assignment for affected users may be required. Evaluate actual Cowork usage patterns before deploying a broad disable .
Audit OneDrive for unrecognized Skills scripts. Skills are stored as files in users' OneDrive instances. A targeted audit should identify Skills files with anomalous modification timestamps, recent uploads from unfamiliar sessions, or origins from external shared links. Script content containing external HTTP references, HTML image tags, or Graph API calls outside the Skill's stated functional scope warrants immediate review. Pay particular attention to Skills files modified after the user's last confirmed session .
Apply Microsoft Purview DLP policies. DLP policies can restrict pre-authenticated link generation for SharePoint and OneDrive via SharePoint Online Management Shell's BlockDownloadPolicy setting, degrading the exfiltration payload quality by making download URLs non-functional for unauthenticated recipients. Additionally, configure DLP rules to detect Teams messages containing HTML with external image src attributes — this directly targets the delivery mechanism the attack uses. Default DLP configurations do not inspect at this level of message fidelity; these rules require explicit authoring .
Enable and monitor Microsoft Graph unified audit logs. Write detection queries for the specific patterns this attack produces: bulk file enumeration (repeated /me/drive/recent or /sites/{id}/drive calls within a short window), rapid access of recently modified documents across multiple libraries, and Teams messages from Copilot contexts containing outbound image references. Microsoft Sentinel can ingest these logs and alert on anomalous agent-level Graph activity. Post-incident forensics also depends on these logs being enabled and retained with sufficient history .
Developers building on Graph or extending Copilot integrations should also audit their own Skills scripts against these patterns: Does any Skill write external URLs into message bodies? Does any Skill enumerate files beyond its stated functional scope? Does any Skill generate pre-authenticated links as a side effect of another operation? These are the same questions an attacker would ask — worth answering internally first.
Frequently Asked Questions
What is Copilot Cowork and how does it differ from standard Microsoft Copilot?
Copilot Cowork is the agentic extension of Microsoft 365 Copilot. Standard M365 Copilot handles single-turn prompts — summarize a document, draft an email — within a single context window with no persistent automation state. Cowork lets users define Skills: LLM-driven automation scripts stored as files in OneDrive that Copilot invokes and executes autonomously. When activated, a Skill chains multiple Microsoft Graph API calls without per-step user approval. The agent runs with the signed-in user's delegated permissions, giving it read and write access across Outlook, Teams, SharePoint, OneDrive, and Dynamics 365 for the duration of the task .
Does the victim have to click anything for the exfiltration to succeed?
The victim only needs to open the Teams message carrying the payload. Teams renders HTML in message bodies and loads referenced image tags automatically on message open — no explicit link click, no file download prompt, no additional interaction is required. The outbound GET requests that deliver pre-authenticated file links to the attacker's server fire at the moment the message loads in the Teams client. The message itself appears blank or routine; there is no visible indication that anything has been transmitted to an external server .
Why didn't the built-in approval flow block this attack?
Copilot Cowork's approval framework guards against the agent sending data to external recipients — but sending a Teams message or Outlook email to the currently signed-in user carries zero approval requirement by design. The classification was "inherently low-risk." The injected instructions exploit this directly: they never request an external file share or any approval-gated action. They instruct the agent to message the current user — fully authorized — and embed the exfiltration payload in the message body. The gate was drawn around the wrong invariant: destination rather than content .
Which Microsoft 365 services are within the attack's reach?
Any service accessible via the signed-in user's delegated Microsoft Graph permissions is reachable. This includes SharePoint document libraries, OneDrive personal storage, Exchange/Outlook email and attachments, Teams chat history and shared files, and Dynamics 365 CRM records. The attack requires no admin access or elevated privileges. For a typical enterprise M365 user with Copilot Cowork enabled, the accessible surface is extensive — and includes documents shared with the user by others, not only files they authored .
Is there a patch or official workaround available?
No patch had been issued and no CVE had been assigned as of the May 26, 2026 disclosure date . PromptArmor completed Microsoft's Coordinated Vulnerability Disclosure (CVD) process before publishing but had not confirmed receipt of a private Microsoft response. Interim measures include auditing OneDrive for unrecognized or recently modified Skills scripts, disabling Copilot Cowork in high-sensitivity tenants, applying Microsoft Purview DLP policies to restrict pre-authenticated link generation, and enabling Graph unified audit logs to detect abnormal file enumeration activity. Monitor ongoing coverage and the Microsoft Security Response Center for patch status updates.
What the Cowork Disclosure Means for Agent Security Design
The Copilot Cowork finding is a clear illustration of a structural challenge in agentic AI design: approval frameworks that reason about where content is routed, rather than what content is encoded in outbound messages, can be bypassed by an attacker who controls any part of the agent's execution context. Prompt injection into LLM agents has been documented repeatedly since 2023, and the image beacon technique is well-established in web security — but the specific combination of Graph pre-authenticated links, a reliable bypass of the Cowork approval gate, and a 100% reproducible end-to-end chain gives this instance unusually clear operational weight .
For teams building on Microsoft Graph or developing Copilot extensions, the design lesson is about where inspection needs to happen in agent output pipelines. An agent that can compose rich outbound content — HTML messages, Markdown with embedded links, adaptive card payloads — requires content-level inspection before delivery, not only recipient-level authorization checks. Every external URL in an agent-composed message is a potential exfiltration channel. This is as true for first-party Microsoft Copilot agents as it is for custom agents built on the Graph SDK, the MCP protocol, or any other agentic framework with network-accessible output channels .
The absence of a patch or CVE as of late May 2026 forces operational teams to make risk decisions without a clear remediation timeline. For tenants handling sensitive financial, legal, or HR data, restricting Cowork is worth the workflow cost until a patch ships. For lower-sensitivity tenants where Cowork adoption is significant, tighter DLP policy coverage and Graph audit log monitoring provide proportionate risk reduction. Track PromptArmor's disclosure page and the Microsoft Security Response Center for updates as the situation develops .
Last updated: 2026-05-30. Based on PromptArmor's technical disclosure published May 26, 2026, and coverage current as of that date. Microsoft's patch and CVE assignment status may have changed after publication — verify current remediation availability before making security decisions.
