Securing Microsoft Copilot Cowork: A Security Practitioner's Guide
Threat modeling the risk surface for an agent that inherits every share its user has, plus the postures and configurations to keep Copilot Cowork from acting beyond its mandate.
Published: May 13, 2026
Overview
Microsoft 365 Copilot Cowork is an agentic, action-taking surface inside Microsoft 365 Copilot, currently available through the Microsoft Frontier preview program. Unlike Anthropic's Claude Cowork — which runs locally on the user's desktop — Microsoft's Copilot Cowork runs entirely in a sandboxed cloud environment, with delegated user identity. It is powered in large part by Anthropic's Claude models, with Anthropic operating as a Microsoft subprocessor.
Copilot Cowork drafts and sends email through Outlook, posts in Teams, schedules and declines meetings, creates and edits Word / Excel / PowerPoint / PDF files, reorganizes OneDrive and SharePoint folders, and performs deep research and enterprise search. It ships with built-in skills and commands, loads user-authored custom skills via SKILL.md files in OneDrive, and plugins from the Microsoft 365 App Store.
This guide covers the threat model and the specific tenant configurations required to deploy Copilot Cowork for your use cases with an acceptable security-functionality trade-off.
Specific use case in mind?
The Threat Model
AI Risk for Copilot Cowork depends primarily on what data it has access to and what actions it can take. The primary risk is indirect prompt injection — hijacking of the user's agent by untrusted content that the agent reads. This threat was demonstrated against Microsoft Copilot Cowork (see Microsoft Copilot Cowork Exfiltrates Files) and Copilot Cowork's namesake, which it was built on, Claude Cowork (see Claude Cowork Exfiltrates Files).
Indirect prompt injection is designated #1 in the OWASP LLM Top 10 (LLM01 Prompt Injection), and the techniques modeled below map to threats described by MITRE ATLAS.
Copilot Cowork inherits every channel of untrusted content the user touches, and every command run and integrated tool called based on retrieved content becomes part of the same attack surface. Each of the following is a potential injection or execution vector and should be evaluated before broad enablement:
Channel
Inputs and Outputs
Skills
Skill files are automatically pulled in from OneDrive and activated at the agent's discretion. A skill containing a prompt injection can manipulate the agent across chat sessions.Example of Skill-Based Injections: Microsoft Copilot Cowork Exfiltrates Files
Emails
Inbox triage can pull attacker-authored email content directly into the agent's context, and Copilot Cowork drafts and sends mail under the user's identity.Example of Email-Based Injections: Superhuman AI Exfiltrates Emails
Teams messages
External and guest chat content, channel history, and DMs the user can read all reach the agent; Copilot Cowork posts back into channels and chats on the user's behalf, where content persists in channel history and links can be unfurled by recipient clients.Example of Exfiltration from Communication Apps:
Data Exfiltration from Slack AI via Indirect Prompt InjectionExample of Data Exfiltration via Link Unfurling on Another M365 Copilot Surface:
LLM Data Exfiltration via URL Previews
SharePoint and OneDrive files
Untrusted Word / Excel / PowerPoint / PDF content, hidden text, speaker notes, comments, and metadata can be processed by Copilot Cowork. Copilot Cowork creates and edits Office documents and reorganizes folders across sites, which can move sensitive content into more permissive locations.Example of Document-Based Injections:
Notion AI: Data ExfiltrationExamples of Spreadsheet-Based Injections:
CellShock: Claude AI is Excel-lent at Stealing DataRamp's Sheets AI Exfiltrates Financials
Plugin and connector responses
Dynamics 365 records, Fabric IQ data, and partner-plugin responses that may contain sensitive data or prompt injections are returned to the agent as context; any write-capable plugin extends the agent's effective action surface beyond Microsoft 365.Example of Supply-Chain Risk from Untrusted Plugins:
Hijacking Claude Code via Injected Marketplace Plugins
Web search and Deep Research
Copilot Cowork performs internet research and fetches external web pages. Web search is a known vector for untrusted data ingestion, and for some applications, data exfiltration can occur via insecurely browsing attacker-controlled sites.Example of Insecure Agent Web-Browsing:
Google Antigravity Exfiltrates DataExample of Injection Delivery via Untrusted Websites:
HuggingFace Chat Exfiltrates Data
Copilot Cowork can render interactive cards; in the face of a prompt injection, this can be utilized to phish the user or render clickable elements that submit data to attacker-controlled endpoints.Example of Phishing via UI Manipulation:
Screen Takeover Attack in AI Tool Acquired for $1B
Calendar invites and meeting subjects
Prompt injections found in meeting invitations can be pulled into the agent's context. Copilot Cowork can schedule, decline, and edit invites on the user's calendar as output, introducing a surface for data exfiltration and system manipulation.
To address this risk, organizations should apply controls across two facets — actionable configurations are provided in the next section:
(1) inputs: reduce the risk of a prompt injection attack by limiting the untrusted data sources Copilot Cowork is allowed to process.
Example: use Restricted Content Discovery to exclude sensitive SharePoint sites from Copilot Cowork enterprise search.
(2) outputs: limit the sensitive data at risk and the sensitive actions Copilot Cowork can take without human oversight.
Examples: block plugins that perform sensitive write actions in external applications.
Oversharing Through Microsoft Graph
Copilot Cowork inherits every share the signed-in user has — stale Teams memberships, organization-wide SharePoint sites, anyone-with-the-link OneDrive shares.
Issue
Recommendation and configuration
Sensitive sites marked "Everyone in the organization"
Restrict access to an Entra security group via Restricted Access Control (RAC).
1. SharePoint admin center → Policies → Access control → Site-level access control → Check the box.
2. SharePoint admin center → Sites → Active sites → select the site → Settings tab → Restricted site access [choose edit] → Restricted site access → Check the box. Then, search and add security groups. → Click Save.
Sites surfacing in tenant-wide search beyond intent
Apply Restricted Content Discovery (RCD) per site — Microsoft's recommended long-term control for excluding a site from tenant-wide search and Copilot grounding.
SharePoint admin center → Sites → Active sites → select the site → Settings tab → toggle Restrict content from Microsoft 365 Copilot.
Sensitive content extractable from any site Copilot can reach
Apply Block Download. Copilot can still ground on content, but cannot retrieve a link to download files (if exfiltrated, this link would allow attackers to download the file).
From the SharePoint Online Management Shell:
Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true
To block based on a sensitivity label:
Set-Label -Identity <label> -AdvancedSettings @{BlockDownloadPolicy="true"}
Stale memberships and unowned shares
Designate administrators responsible for conducting Site Access Reviews before Copilot Cowork deployment, and on a regular cadence. To initiate a site access review:
SharePoint admin center → Reports → Data access governance → open any report → select up to 100 sites → Initiate site access review.
Sensitivity labels defined but not enforced
Configure auto-labeling policies so labels apply automatically to content matching sensitive info types instead of relying on users to label manually.
Microsoft Purview portal → Solutions → Information protection → Policies → Auto-labeling policies → + Create auto-labeling policy.
Risk from Skills and Plugins
Copilot Cowork's tool surface expands with every plugin and custom skill enabled. The two most important distinctions:
■
Plugins from the M365 App Store go through Microsoft validation, but can still provide Copilot Cowork with expanded capabilities to perform sensitive operations in external services (expanding risk surface in the face of a prompt injection attack).
■
User-authored custom skills are not validated by Microsoft. Microsoft states this directly: "Custom skills created by users aren't validated by Microsoft. Review custom skill outputs carefully."
Employees running Skills?
Configurations to Set Based on Your Posture
Each row pairs a Copilot Cowork-relevant control and the appropriate setting depending on one's organizational risk posture.
Cowork Configuration Reference
Per-control settings across three risk profiles: High Utility, Balanced, and Security-oriented.
Control
Tenant location
Risk profile
Frontier enrollment scope
M365 Admin Center › Copilot › Settings › View All › Copilot Frontier
Note: Changes may take 3 hours to apply.
High Utility, High Risk
Set: All Users
Balanced
Set: Specific Users
Security-oriented
Set: No Access
Anthropic subprocessor (Claude inference)
M365 Admin Center › Copilot › Settings › View All › AI providers operating as Microsoft subprocessors › Anthropic
High Utility, High Risk
Set: All Users
Balanced
Set: Specific Users and Groups
Security-oriented
Set: No Users
Cowork agent availability
M365 Admin Center › Agents › All Agents › Search › Cowork › Users
Block plugins that take write actions in external services
Security-oriented
Block all plugins
See all tenant configurations ↗
Updated May 2026 · PromptArmor Research
Mapping Use Cases to Controls
A single tenant rarely runs Copilot Cowork under one posture. Executive admins, customer-facing sales, finance and legal, and regulated EU users each need a different combination of plugin scope, Conditional Access, Purview DLP, and SharePoint Advanced Management controls. The matrix below maps representative use cases to the controls needed to ship them safely.
Plugin allowlist via M365 Admin Center › Copilot › Agents › Tools › <Plugin Name> › Block / Unblock; block partner plugins that take write actions in external services
SharePoint oversharing
Restricted Access Control (RAC) on sensitive sites: SharePoint admin center › Policies › Access control › Site-level access control, then per-site Restricted site access
Restricted Content Discovery (RCD) on Copilot-eligible sites that shouldn't surface in tenant-wide grounding: SharePoint admin center › Sites › Active sites → site → Settings › Restrict content from Microsoft 365 Copilot
Site Access Reviews on a recurring cadence: SharePoint admin center › Reports › Data access governance → Initiate site access review
Auto-labeling policies so sensitivity labels apply automatically to matching content: Purview portal › Solutions › Information protection › Policies › Auto-labeling policies
Policies
Custom skills (SKILL.md) must be submitted to an admin for review and approval before use
Prohibit "Don't ask again" on Cowork write actions — send email, post to Teams, schedule meeting, modify/delete files — so the per-action approval gate stays active on every invocation
Use the checklist below as a structured rollout plan: identity and tenant settings, then Purview, then Defender XDR, then SharePoint posture, then residency and ongoing operations.
Compliance Framework Mappings
The article's recommendations, mapped to the NIST AI Risk Management Framework. Use this table as the input to your control narrative or audit evidence package.
NIST AI RMF 1.0
Function
Applies to
Controls
GOVERN
Legal, regulatory, and third-party governance
Frontier program enrollment scope established; Anthropic subprocessor usage and scoped; DPIA and ROPA updated to reflect Cowork data flows and Anthropic processing outside the EU Data Boundary
MAP
Context, use cases, AI system scope
Use cases defined per role (Knowledge Worker, etc.) and mapped to required Cowork features; plugin and custom-skill supply-chain risks identified before enablement; oversharing baseline reviewed via SharePoint Advanced Management
MEASURE
Risk assessment and monitoring
Restricted Content Discovery applied per site for content that shouldn't surface in tenant-wide Copilot grounding; recurring Site Access Reviews delegated and run on a schedule; auto-labeling policies in place so sensitivity labels apply automatically to matching content
MANAGE
Risk treatment and ongoing controls
Posture chosen per setting (Frontier, Anthropic subprocessor, agent availability, plugins) from the configuration reference; per-plugin block/unblock with partner plugins that take external write actions blocked by default; custom skills (SKILL.md) require admin review and approval before use; "Don't ask again" prohibited on Cowork write actions; Restricted Access Control and Block Download applied to sensitive sites
Copilot Cowork Security FAQ
Security & Risk
Copilot Cowork is safe for enterprise use only when admins explicitly configure it. Out of the box it inherits every Microsoft Graph permission each user already holds — including stale Teams memberships, broken-inheritance SharePoint sites, and "Everyone except external users" sharing links — so existing oversharing becomes the agent's effective attack surface.
Safe deployment requires controls across five planes: agent availability (M365 Admin Center), identity and Conditional Access (Entra), prompt and grounding governance (Purview DLP), audit (Purview Audit), and endpoint posture (Defender).
Until those are in place, treat Copilot Cowork as pilot-only for high-risk groups (executives, finance, legal, regulated data).
Indirect prompt injection. An attacker plants instructions in data Copilot Cowork reads — an email, a Teams message, a calendar invite, a SharePoint document, a plugin response, or a web result — and hijacks the agent to take action on the user's behalf.
Because Copilot Cowork can send email, post to Teams, schedule meetings, and reorganize files, the resulting impact can affect both integrity and confidentiality.
This is compounded by Copilot Cowork's reach: it runs under the user's delegated Entra identity, so every stale Teams membership, broken-inheritance SharePoint site, and "Everyone except external users" sharing link is part of the effective attack surface.
Decision Making
They share a name and both use Claude models, but the products are different.
Claude Cowork is a local desktop agent that runs on the user's machine.
Microsoft Copilot Cowork is a cloud-tenant agent inside Microsoft 365: it works only with the tenant data the user can access via Microsoft Graph. The risk model centers on Graph permission inheritance, plugin and skill supply chain, and the Anthropic subprocessor data path.
Yes — at three independent layers:
(1) Block at the agent layer. Set Copilot Cowork agent availability to "Blocked" in M365 Admin Center › Copilot › Agents › All agents › Copilot Cowork.
(2) Block at the subprocessor layer. Leave the Anthropic subprocessor toggle off under Copilot › Settings › AI providers operating as Microsoft subprocessors.
(3) Block at the program layer. Do not enroll the tenant or admin account in the Frontier program.
Each layer is independent; defense-in-depth uses all three so that re-enabling any one upstream does not silently re-enable Copilot Cowork.
Copilot Cowork is powered primarily by Anthropic's Claude models. Prompts and grounding content leave first-party Microsoft infrastructure to reach Anthropic for inference. Anthropic operates as a Microsoft subprocessor under the Microsoft Product Terms and DPA.
Tenants can scope Anthropic subprocessor access narrowly by user or group via Copilot › Settings › AI providers operating as Microsoft subprocessors.
Configuration
Yes. Microsoft states explicitly that custom skills are not validated by Microsoft: "Custom skills created by users aren't validated by Microsoft. Review custom skill outputs carefully."
Anyone with OneDrive write access to a user — including via OneDrive sync from a compromised endpoint — can plant a skill that becomes persistent agent instructions for every Copilot Cowork session that user runs.
For high-risk groups (executives, finance, legal), require organization-level review before custom skills are enabled.
Plugins from the M365 App Store are validated by Microsoft but still expand Copilot Cowork's tool surface — vet third-party plugins like any other dependency, and block partner plugins that take sensitive write actions in external services.
Custom skills are not validated by Microsoft — require organization-level review before users enable them.
PromptArmor Threat Intelligence
Is your organization protected from AI vendor risks?
PromptArmor continuously monitors your vendor portfolio for vulnerabilities and changes like this — surfacing risk before it becomes an incident.
