Microsoft Copilot Cowork Vulnerability Allows Email Exfiltration
Patch Copilot Cowork to prevent unsanctioned email sending and image rendering.
Apply security patch to restrict agent email sending and block external image requests.
Summary
Microsoft Copilot Cowork, a new Microsoft 365 feature, was found to allow agents to send emails to the user’s own inbox without approval. The emails could contain external images that trigger network requests, creating a vector for data exfiltration when a user opens a compromised message. OneDrive’s pre‑authenticated download links could be leaked via prompt injection, allowing attackers to download files.
The vulnerability requires a patch to restrict agent email sending and block external image rendering. Prompt injection could also lead to the exfiltration of files through compromised messages, posing a significant risk to enterprise data security. Microsoft must address the issue promptly to prevent attackers from leveraging Copilot Cowork for data theft.
Key changes
- Copilot Cowork allowed agents to send emails to the user’s inbox without approval.
- Emails could contain external images that trigger network requests.
- OneDrive pre‑authenticated links could be leaked via prompt injection.
- Attackers could exfiltrate files by opening compromised messages.
- The vulnerability requires a patch to restrict agent email sending and block external image rendering.