info@agency-os.ai Design system v0.1 Fast · accessible · tokenized

Microsoft Copilot Cowork Can Leak Your Files. Here’s Why It Matters.

A prompt injection flaw in Microsoft Copilot Cowork lets attackers exfiltrate files through agent-sent emails. Every business running AI agents needs to pay attention.

A digital padlock surrounded by glowing network connections representing AI agent security vulnerabilities

Microsoft’s AI agent just got caught leaking files. Copilot Cowork, a real production product from Microsoft, has a security flaw that lets attackers steal your data through prompt injection. If you run a service business and you’ve deployed (or are thinking about deploying) AI agents that touch email, documents, or client data, this one’s for you.

Simon Willison flagged the issue this week, calling it part of the biggest challenge in designing agentic systems: preventing attackers from exfiltrating data. And he’s right. This isn’t a theoretical risk. It’s happening in a shipping Microsoft product.

What happened

  • Microsoft Copilot Cowork allows AI agents to send emails to a user’s own inbox without requiring approval.
  • Those emails can contain external images that trigger network requests to outside websites when the user opens the message.
  • An attacker can use prompt injection (feeding hidden instructions to the AI) to craft a message that embeds a malicious image link, leaking data when the image loads.
  • Because OneDrive can create pre-authenticated download links, a successful prompt injection could cause those links to be included in the exfiltrated data. That means an attacker could download the victim’s actual files.
  • The core flaw is a combination of three things: autonomous email generation, external image rendering, and prompt injection. Together, they create a data exfiltration pipeline.

Why this combination is so dangerous

Each piece of this attack chain seems harmless on its own. An agent that sends you emails? Convenient. Emails that render images? Normal. An AI that sometimes follows instructions embedded in content? A known issue. But stack all three together and you get a system that can silently hand your files to a stranger.

Simon Willison has been writing about this pattern for years. He sometimes calls it the “lethal trifecta” of agentic AI. And it keeps showing up in production systems from the biggest companies in the world.

5 things every service business should know about AI agent security

  1. Prompt injection is not solved. No one, not Microsoft, not Google, not OpenAI, has a reliable fix for prompt injection. If your AI agent reads untrusted content (emails, documents, web pages) and then takes actions, it can be manipulated.
  2. Autonomous actions are the real risk. An AI that summarizes text is low risk. An AI that sends emails, creates links, or moves files on its own is high risk. The moment an agent acts without a human approving the action, the attack surface explodes.
  3. External rendering creates side channels. Any time your system renders external content (images, links, iframes), you’ve created a path for data to leave your network. This is true for email clients, chat apps, and internal dashboards alike.
  4. Pre-authenticated links are gasoline on the fire. Services like OneDrive and SharePoint can generate links that don’t require a login to access. If an attacker gets one of those links, they have your file. Period. No password needed.
  5. This will happen again. Every major tech company is shipping agents fast. Speed means corners get cut. If Microsoft missed this in Copilot Cowork, assume similar flaws exist in other agentic products you’re using or evaluating.

The hot take

The industry is shipping autonomous AI agents way faster than it’s shipping the security architecture to keep them safe. Microsoft is one of the most security-conscious companies on the planet. They employ thousands of security engineers. And they still shipped a product where an agent can silently exfiltrate your OneDrive files through a rendered image in an email. That should terrify you. Not because Microsoft is bad at security, but because if they can’t get this right yet, nobody can. Any business plugging AI agents into their workflows without explicit human approval gates on outbound actions is playing with fire. Full stop.

The Agency OS play

This week, audit every AI agent or copilot tool that has access to your company’s email, file storage, or client data. Make a list. For each one, answer two questions: Can it take actions (send messages, create links, modify files) without a human clicking “approve”? And does it ever render external content like images or links from outside your organization? If the answer to both is yes, you have the same class of vulnerability that just hit Copilot Cowork.

The fix isn’t complicated in concept. Put a human approval step in front of any agent action that sends data outside your system. That means email sends, link generations, file shares, and API calls to external services all need a “confirm” button. Yes, it adds friction. Yes, it slows things down. It’s still worth it. A single leaked client file can cost you more than the time savings from a year of automation.

If you’re building custom agents or evaluating vendor tools, add these to your checklist right now: no autonomous outbound communication without approval, no external image rendering in agent-generated messages, and no pre-authenticated file links in any content the agent can access. Strip those three things out and you’ve closed the exact attack path that burned Microsoft this week. Also, start sandboxing your agents. Run them with the minimum permissions they need to do their job, and nothing more. An agent that summarizes meeting notes doesn’t need access to your entire OneDrive. Scope it down.

Translate: