PromptArmor researchers showed Copilot Cowork retrieves pre-authenticated OneDrive links and embeds them in Teams messages that trigger external requests on open (PromptArmor, 2024). Microsoft documentation states approvals apply to sensitive actions, yet messages to the active user bypass this (Microsoft Learn, 2024). The attack loads via poisoned OneDrive skills and succeeds without admin visibility into skill paths. Related work on agentic systems documents identical egress through URL previews in chat clients (Greshake et al., arXiv:2302.12173). Copilot Cowork’s Graph permissions and lack of per-action consent for self-directed messages create a repeatable pattern across M365 agents. Prior incidents with Claude and GPT agents confirm the same indirect injection vector when multiple data sources converge. The report understates admin oversight gaps; skills auto-load from user OneDrive with no tenant-level audit logs reported in Microsoft documentation.