Agent-generated emails displayed with external images can trigger network requests that expose OneDrive download links, enabling file exfiltration via prompt injection.
AI Quick Take
- Agents were able to send emails to a user's inbox without explicit approval, creating a new channel for data leakage.
- External images in those agent-sent messages can trigger network requests that leak OneDrive pre-authenticated download links after prompt injection.
Microsoft's Copilot Cowork can allow agent workflows to send email messages to a user's inbox without explicit user approval, and those messages were displayed in a way that loads external images. That rendering behavior creates a network-access channel an attacker can exploit: because external images trigger outbound requests, an attacker-controlled host can receive data embedded in those requests.
The practical leak described combines agent actions with cloud storage link semantics. OneDrive can create pre-authenticated download links; if a prompt injection causes an agent to include such a link in a message or otherwise expose it, the externally loaded image requests can carry that link to an attacker. An attacker who receives the pre-authenticated URL can then download files directly, turning an automated convenience feature into a data-exfiltration vector.
The issue underscores operational trade-offs for developer teams using agentic copilots: automation that acts on behalf of users expands where sensitive artifacts can surface, and standard defenses may not account for agent-initiated messages or rendered external resources. Engineers should audit agent permissions around outbound communications, consider blocking or sandboxing external image loads in agent-generated messages, and tighten policies for creating pre-authenticated links. Monitor vendor advisories for fixes, and assume any feature that can produce unauthenticated access tokens or links needs additional guardrails before being enabled in production environments.