PromptArmor — Copilot Cowork Prompt Injection Bypasses M365 Approval to Exfiltrate Files
AI relevance: PromptArmor demonstrated that indirect prompt injection in Copilot Cowork — Microsoft's M365-integrated AI agent — can suppress user approval dialogs and silently generate sharing links to SharePoint, OneDrive, and Exchange content, creating an autonomous data exfiltration path inside the Microsoft 365 ecosystem.
- Indirect injection via workflow content. Adversarial payloads embedded in emails, shared documents, or Teams messages are processed by Copilot Cowork as legitimate instructions. No direct user interaction with a malicious prompt is required.
- Approval bypass. Copilot Cowork normally asks for confirmation before sending file links externally. PromptArmor's proof-of-concept showed the injected payload could suppress or manipulate that safeguard, triggering link generation and dispatch silently.
- Full M365 blast radius. The agent accesses SharePoint libraries, OneDrive folders, Exchange mailboxes, and Teams conversations. Sensitive financial reports, IP, HR records, and legally privileged communications are all within reach.
- DLP evasion. Because the AI agent is an authorized user with broad permissions, its actions appear legitimate to monitoring tools. Exfiltration via sharing links bypasses many network-based detection systems.
- Obfuscation-friendly payloads. Injection vectors include white-font text, invisible Unicode characters, and metadata-level instructions — making static analysis and pattern-matching defenses unreliable.
- No official patch yet. Microsoft has not released a statement or fix. PromptArmor reported through Microsoft's Coordinated Vulnerability Disclosure program weeks before public disclosure.
Why it matters
This is enterprise prompt injection at its most dangerous: an attack that doesn't require clicking a phishing link or opening a malicious attachment. Simply having Copilot Cowork process a corrupted document in a routine workflow is sufficient to trigger data leakage. As enterprises deploy agentic AI across M365, the gap between utility (broad access) and security (scoped, auditable actions) becomes the central risk.
What to do
- Audit Copilot Cowork access scopes — apply least-privilege aggressively. Limit which document libraries and sites the agent can reach.
- Enforce M365 sharing restrictions — block external sharing by default. Require manual approval for sensitive document libraries. This won't stop link generation but can prevent final exfiltration.
- Monitor for anomalous AI behavior — alert on unusual file access patterns, especially off-hours or high-volume link generation. Integrate logs with SIEM.
- Use Microsoft Information Protection labels — classification labels can enforce encryption and access restrictions that render exfiltrated data useless even if links are shared.
- Educate employees — awareness that shared documents and emails can contain hidden instructions targeting AI agents is a meaningful first line of defense.