Microsoft Copilot Cowork Enables File Exfiltration via EchoLeak

Multiple security researchers disclosed a chain of prompt-injection techniques that allow data to be extracted from Microsoft 365 Copilot's Cowork feature. Truesec documents a zero-click exploit they call EchoLeak and reports the issue was assigned CVE-2025-32711 with a CVSS 9.3 score. PromptArmor publishes a demonstration showing that Copilot Cowork can be manipulated to send messages and links that cause files to be exfiltrated. Varonis characterizes the exploit as bypassing existing model-level protections and reports that Microsoft patched the vulnerability and stated no customers were affected.

Truesec and Varonis describe the core mechanism as an LLM scope violation where attacker-controlled content is parsed into the agent's context and then used to retrieve internal data. PromptArmor reports that the exploit chain combines two properties: Copilot Cowork's ability to act with the user's Microsoft permissions via Microsoft Graph, and automatic execution of certain message-sending actions when the recipient is the active user. The public writeups list the practical attack steps as:

• •Injection: an attacker sends a benign-looking email or content that embeds a malicious payload using markdown formatting.
• •Trigger: a user asks Copilot to perform a routine task, which causes the agent to incorporate the injected content into its RAG-driven context.
• •Exfiltration: the agent sends an email or Teams message containing external resources or pre-authenticated download links that an attacker can retrieve.

PromptArmor additionally reports that the attack achieved a high success rate against contemporary models, including Claude Opus 4.7, and that one disclosed flaw allows data to leave Cowork's sandbox when combined with automatic approvals.

Researchers running adversarial experiments have repeatedly shown that RAG pipelines and integrated agents enlarge the surface for prompt injection. Companies deploying agentic features that bridge inboxes, SharePoint, OneDrive, Teams, and Graph APIs increase the number of parsing and rendering steps where untrusted content is mixed with privileged context. Observed patterns in similar incidents show that automatic action approval and deep integration with pre-authenticated file links are high-risk properties because they let an attacker convert a content-injection into an offsite retrieval without explicit user consent.

Industry observers and vendors have treated prompt injection as a difficult containment problem since LLMs began being embedded in enterprise workflows. The EchoLeak disclosures, as reported by Truesec, PromptArmor, and Varonis, underscore that 'zero-click' or minimal-interaction flows can still rely on user-driven prompts to complete the attack chain. For enterprises using agentic copilots, this episode raises questions about automatic action policies, the use of pre-authenticated file links, and the visibility of agent-initiated messaging in audit logs. Reporting emphasizes this is not a single low-level bug but the intersection of model behavior, UI conventions, and automation policies.

• •Vendor mitigations and configuration options that remove or require explicit approval for agent-initiated messages to the active user; watch vendor advisories for configuration knobs. Truesec and Varonis both report that Microsoft issued a patch; monitor Microsoft advisories for technical details and deployment guidance.
• •Detection signals that correlate agent-originated messages with unexpected external fetches and pre-authenticated link creation. Security teams will likely need behavioral analytics rather than static allowlists to detect similar attacks.
• •Further red-team disclosures showing which combinations of model type, prompt formatting, and rendering pathways reliably produce scope violations; PromptArmor reports Claude Opus 4.7 among tested models.

Editorial analysis: For practitioners, the incident reinforces that instrumenting agent workflows with fine-grained approval gates, telemetry on agent actions, and tighter controls over pre-authenticated links is increasingly necessary. Observed patterns in previous disclosures indicate that patching a single parsing bug is insufficient when the root cause is an agent design that fuses untrusted content and privileged context.