Microsoft Copilot's Cowork flaw lets attackers steal files via prompt injection

Microsoft Copilot's Cowork feature contains a security flaw that lets attackers exfiltrate files using prompt injection, security researcher Kneenex revealed on May 25, 2026 [hn-front]. The vulnerability stems from how Cowork processes user prompts when retrieving and summarizing documents, allowing malicious input to redirect file contents to attacker-controlled locations.

Cowork is designed to let users collaborate with Copilot by sharing files for analysis, summarization, or editing. But Kneenex demonstrated that a crafted prompt could force Copilot to extract and transmit the full contents of a requested file—even if the user never intended to share it. The exploit requires the user to run a malicious prompt, but once triggered, the file transfer occurs without additional approval.

This is not a theoretical risk. Kneenex showed a working proof-of-concept where a prompt disguised as a routine document summary pulled a local file and sent it to an external server. The attack bypasses standard access controls because Copilot operates with the user’s permissions, and Cowork does not validate whether a prompt should be allowed to export raw file data.

The flaw exposes how AI assistants with file access can become data leakage vectors when prompt parsing is insufficiently sandboxed. Microsoft has not yet issued a patch, and users with sensitive documents should avoid using Cowork until further notice [hn-front].