Microsoft Copilot Cowork Privacy Review for Solo Freelancers

Microsoft is now rolling out Copilot Cowork to its Frontier preview customers — an agent built into Microsoft 365 that can read your email, draft replies, schedule meetings, post in Teams, and produce documents on your behalf. For solo consultants who live in M365, that sounds like a serious time-saver. It also raises a serious question: if an agent inherits your full M365 permissions and can act across your tenant, what happens when something goes wrong — a poisoned plug-in, a hostile email, a quietly approved action? Security researchers at PromptArmor published a working exploit chain on May 23, 2026 showing exactly that. The short answer up front: based on the current documentation and that disclosed vulnerability, Cowork is not a tool I would let near paid client work yet.

What Copilot Cowork does with your data

Copilot Cowork is described in Microsoft’s official documentation as an agent that runs across your Microsoft 365 environment, carrying out tasks rather than just suggesting them (per Microsoft Learn, retrieved 2026-05-29). It can send emails through Outlook, schedule calendar events, build Word and Excel files, post in Teams, and trigger plug-ins from third-party providers. Cowork inherits the permissions of the signed-in user, which means it can reach any document, mailbox folder, or chat the user can already reach — nothing more, nothing less, but also nothing isolated.

The data plumbing relies on Microsoft Graph. Per Microsoft’s own Data, Privacy, and Security article for M365 Copilot (retrieved 2026-05-29), prompts, responses, and data accessed through Graph are not used to train the foundation models that power Copilot. Microsoft also claims compliance with the General Data Protection Regulation and with the EU Data Boundary for European tenants. Customer data stays inside the M365 service boundary in the sense that Microsoft doesn’t pipe it into model training — that part of the posture is genuinely cleaner than most consumer chatbots, and worth crediting.

The harder part is what Cowork is authorized to do once it’s active. Microsoft’s documentation states that the agent asks for permission before sensitive actions, with a risk-level indicator for medium and high-risk steps. Admins can restrict which plug-ins users may install. But the action-approval system has a gap that matters for anyone handling client data: when the recipient of a generated email or Teams message is the active user themselves, the message goes through without an approval prompt. PromptArmor’s research, published May 23, 2026, demonstrated that this loophole can be chained with a poisoned plug-in to exfiltrate files from a tenant — the agent is instructed to write a self-message containing client data, the user opens it, and an embedded image quietly fires a request to an attacker-controlled server. Microsoft was notified, but the design issue around delegated agent authority is not currently patched in the preview build.

What this means for solo freelancers

If you’re a solo consultant who runs your business out of Microsoft 365 — bookkeepers, fractional CFOs, virtual assistants, project managers, IT contractors — your tenant probably contains a mix of your own admin data and at least some material your clients consider confidential. SOWs, signed NDAs, draft contracts, payroll spreadsheets, vendor pricing, client PII inside email threads. The point of Cowork is that an agent can touch all of that on your behalf. The risk is that the same agent can be steered by content it ingests, not just by you.

Three concrete scenarios where the agent design hurts solo workers handling client material:

• Poisoned plug-in exfiltrates other clients’ data. You install a “marketing analytics” plug-in to summarize ad-campaign data for a client; the plug-in returns a payload containing hidden instructions; Cowork follows them, drafts a self-message containing your other clients’ invoices, and the data leaks the moment you open the message in Outlook. Based on the policy as written and the disclosed PromptArmor exploit, that chain is technically possible in the current preview build.
• Adversarial content inside a routine client document. A client emails you a “brief” PDF that contains embedded instructions invisible to a human reader. Cowork is asked to summarize it, and the hidden text redirects the agent toward sending a different client’s file to an external address. The agent did exactly what the input told it to do — that is the design.
• GDPR liability lane gets messy. You handle EU client data under a controller-processor split, and a Cowork incident triggers a notifiable breach. Based on the policy as written, Microsoft is your data processor — but the breach origin is your tenant, your authentication, your agent configuration. The shared-responsibility line is not where you want it for a regulator investigation.

None of these three scenarios requires a sophisticated attacker. The first two require an inbound email or a plug-in install. The third requires a clean audit trail you don’t have. For a solo freelancer with no SOC, no incident-response retainer, and no in-house legal, that residual risk is heavier than the time savings the agent offers. Our how we evaluate AI tools page covers the framework we apply when an agent-class product introduces shared-responsibility liability that a solo operator cannot easily carry alone.

How to use it safely

If you have access to Cowork through the Frontier preview and want to test it without exposure to client work, treat it as a sandboxed experiment, not a production tool.

• Create a separate M365 tenant or at least a separate user account with no access to client folders, client mailboxes, or shared OneDrive libraries containing real work. The agent inherits permissions — so restrict permissions first.
• In Microsoft Admin Center, disable all third-party plug-ins for the Cowork test account. Plug-ins are the documented prompt-injection surface; remove them and you remove most of the attack chain.
• Turn off automatic email previews in Outlook and image loading in Teams. The exploit relies on a network request firing the instant a compromised self-message is rendered. If previews and remote images are blocked, the egress channel narrows considerably.
• Never paste client data — names, account numbers, contract terms — into Cowork prompts during testing. Use synthetic data that looks realistic but isn’t real.
• Review the action approval log daily during preview. Microsoft’s docs note that approval prompts are shown for medium and high-risk actions, but you want a written record of every action the agent took.
• If you are an admin for a multi-user tenant, do not enroll the tenant in Frontier until the messages-to-self bypass is patched. Wait for Microsoft to publish a fix advisory.

Privacy-friendlier alternatives

If the use case is “I want an AI assistant inside my productivity stack without granting it agent-level authority over my tenant,” there are calmer choices for solo freelancers handling client work.

Proton Mail and Proton Drive. What it gives you that Cowork doesn’t: end-to-end encryption on email and stored files, a Swiss jurisdiction with no equivalent agentic-authority feature, and no LLM acting on your inbox at all. The trade-off is no AI summarization or scheduling automation. For freelancers whose clients require encryption at rest plus a clean GDPR controller story, Proton Unlimited at roughly $10–13 per month is the cleanest baseline.

1Password Business as the credential layer. What it gives you that Cowork doesn’t: a single audited place for every client login, SSO into M365 if you decide to stay in that ecosystem, and no agent ever touching the credentials themselves. Around $7.99 per user per month. This is the right pairing for anyone who keeps M365 but wants to harden the perimeter.

Tailscale for shared client folders. What it gives you that Cowork doesn’t: file sharing over a private mesh network without any cloud agent in the middle. Free for individual freelancers, $6 per user per month for the team plan. Target user: freelance developers, designers, and consultants who already self-host part of their stack and want to share work folders with clients without exposing them to an enterprise agent layer.

For broader account security, a hardware key like a YubiKey 5C NFC is a worthwhile add-on regardless of which productivity stack you choose — it prevents the credential phishing that often precedes agent-tenant abuse.

Frequently asked questions

Is Microsoft Copilot Cowork GDPR-friendly for EU freelance clients?

Microsoft documents compliance with the GDPR and the EU Data Boundary for Microsoft 365 Copilot at the platform level (Microsoft Learn, retrieved 2026-05-29). Based on the policy as written, the data-residency story is plausible. The harder question is incident liability: if a Cowork exploit exfiltrates EU personal data from your tenant, the breach origin is your tenant, which complicates the controller-processor split. For paid EU client work in 2026, this configuration carries a higher regulatory exposure than freelancers should accept.

Can I use Copilot Cowork for HIPAA-protected data?

Microsoft offers a HIPAA Business Associate Agreement for Microsoft 365 commercial tenants on eligible plans. However, the documented exfiltration chain in PromptArmor’s May 2026 research — where a poisoned plug-in induces the agent to draft self-messages containing protected data — would constitute a reportable breach event under HIPAA rules. Based on the policy and the unpatched vulnerability, freelance medical scribes, billing coders, and healthcare consultants should avoid Cowork for PHI until Microsoft publishes a remediation advisory.

Does Cowork train Microsoft’s models on my prompts or my tenant data?

Per Microsoft’s Data, Privacy, and Security article for M365 Copilot (retrieved 2026-05-29), prompts, responses, and information accessed through Microsoft Graph are not used to train the foundation models powering Copilot — including the model used by Cowork. This part of the posture is materially cleaner than consumer chatbots that opt users into training by default, and worth crediting in the overall risk assessment.

How is Cowork different from the regular Microsoft Copilot I’ve been using?

Regular Copilot suggests text, summarizes documents, and drafts content that you then send. Cowork takes actions on your behalf across the M365 surface — sends emails, posts in Teams, schedules meetings, creates files — with delegated authority that uses your permissions. The privacy implication is significant: a suggestion engine cannot leak data on its own, but an agent with send-message authority can, especially when the approval gate has a documented bypass.

If I disable third-party plug-ins, is Cowork safe to use?

Disabling plug-ins removes the specific prompt-injection vector demonstrated by PromptArmor, which is a meaningful reduction. However, any user-facing content the agent ingests — emails from external senders, shared documents, Teams messages — remains a potential injection surface. Disabling plug-ins lowers risk but does not eliminate it. For sandbox testing, plug-ins off plus a separated test tenant is the recommended baseline.

Will Microsoft patch the messages-to-self approval bypass?

PromptArmor disclosed the issue to Microsoft and published the research May 23, 2026. As of the snapshot date for this review (2026-05-29), Microsoft has not issued a public remediation advisory specific to the Cowork approval-bypass behavior. The Cowork documentation continues to describe the action-approval system without flagging the self-message edge case. Track Microsoft’s security blog and the Cowork release notes for a fix before reconsidering this tool for client work.

Sources

• PromptArmor research, “Microsoft Copilot Cowork Exfiltrates Files” — published 2026-05-23, retrieved 2026-05-29: promptarmor.com
• Microsoft Learn, “Copilot Cowork overview (Frontier)” — retrieved 2026-05-29: learn.microsoft.com
• Microsoft Learn, “Copilot Cowork common questions (Frontier)” — retrieved 2026-05-29: learn.microsoft.com
• Microsoft Learn, “Data, Privacy, and Security for Microsoft 365 Copilot” — retrieved 2026-05-29: learn.microsoft.com
• Microsoft Privacy Statement — retrieved 2026-05-29: privacy.microsoft.com

Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. Privacy posture sourced from public Microsoft documentation, the official M365 Copilot privacy article, and independent security research as of 2026-05-29.

Related reading: [INTERNAL_LINK_TO_CLUSTER_ai-privacy-reviews] · [INTERNAL_LINK_TO_CLUSTER_ai-privacy-reviews]