TL;DR
- Security Claim: Enterprise AI security and compliance platform PromptArmor says Copilot Cowork may expose file links through self-directed messages triggered by poisoned workflow content.
- Approval Model: Microsoft’s public Cowork guidance says sensitive actions require permission, but the reported test path reached the active user without that stop.
- Tenant Exposure: Existing Microsoft 365 permissions, broad app reach, and recurring tasks could widen the impact in overpermissioned enterprise environments.
Enterprise AI security and compliance platform PromptArmor warns Copilot Cowork may expose downloadable links to files a user already had permission to open when a poisoned workflow sends a message back to that same user. Hidden instructions inside ordinary business content could turn a normal workflow into a file-access path without relying on a user to approve a notably suspicious step.
Enterprise exposure gives the reported flaw more weight than a narrow chat failure. Microsoft made Copilot Cowork available to users on March 10 as a tool built to act across Microsoft 365 data instead of staying inside a simple prompt box.
Approval Controls Under Pressure
Microsoft’s current public Copilot Cowork guidance points in the opposite direction as PromptArmor suggests. According to Microsoft, Copilot Cowork asks for permission before sensitive actions such as sending email or posting in Teams. PromptArmor alleges those same message actions can still reach the active user without that approval stop, leaving Microsoft’s documented safeguard in direct tension with the reported result.
Microsoft labels medium- and high-risk approvals with a risk-level indicator. Users can also skip future approvals for similar actions inside the same conversation. If PromptArmor’s test path is accurate, the weak point sits where a self-directed Teams or Outlook message reaches the active user before that approval model can do its job.
The reported payload was compact rather than sprawling. In the cited testing, five lines inside an 81-line skill file were enough to poison the sequence, trigger a self-addressed message, and surface a working file link. The attack also succeeded in all five trials, which raises the possibility that the behavior did not depend on one fragile prompt variation or one unusually permissive setup.
A working URL can leave the conversation with direct document access already attached. An earlier Microsoft 365 Copilot prompt-injection case from 2025 showed how the same general attack class could turn ordinary-looking content into a data-theft path.
Why Inherited Permissions Widen the Risk
Copilot Cowork runs with a user’s existing Microsoft 365 permissions, so the agent inherits whatever files, chats, and workspaces that person can already reach. Copilot Cowork also works across the browser, Outlook, Teams, desktop apps, and mobile apps, which spreads the same exposure question across several Microsoft 365 surfaces instead of leaving it in one interface.
Loosely governed tenants face the biggest downside. In overpermissioned tenants, the same path can stretch across email, Teams, SharePoint, OneDrive, calendars, and other shared business data. Administrators can still restrict or block access before broad deployment, but that control should ideally be paired with an access-rights review and tighter sharing rules before users rely on Cowork for routine work.
Recurring workflows add another operational concern. Scheduled tasks can repeat prompts without live user oversight, so a poisoned task may keep trying the same pattern after the first trigger. In a tightly managed tenant, that may limit the blast radius to a narrow set of files or teams. In a weakly governed environment, the same behavior could follow the user’s existing access into finance documents, HR material, project files, and shared team spaces.
Microsoft expanded Cowork in May with new native integrations across Microsoft products. More integrations and reusable tasks give any successful workflow-level bypass more opportunities to move across business systems.
Connected agent platforms such as Copilot Cowork still face indirect prompt injection even after point fixes. Copilot Cowork‘s wider action scope now leaves Microsoft’s documented approval guardrails under heavier pressure when the same actions move through recurring, multi-step workflows.
