> Within the article, the wording is much more accurate: “The victim uploads a skill file to Copilot Cowork that contains a prompt injection,” and “The injection manipulates Microsoft Copilot Cowork into posting a Teams message that exfiltrates pre-authenticated file download links when viewed.”

it's indeed accurate and clearly states what the outcome is: an exfiltration. why is it misleading to say so in the title?

it's pretty obvious that it means that "cowork" is the component vulnerable to exfiltration, not the prime actor.