Claude Cowork Could Be Your Biggest Insider Threat

Claude Cowork is handing employees a master key to your company's most sensitive data. And most businesses don't even realize it. Security researchers just proved how easy it is for an insider; malicious or just careless; to drain your SharePoint, OneDrive, Outlook, and Salesforce in under half an hour.

30 Minutes to Empty Your Cloud

DTEX researchers ran two quick tests. Both used simple, single-sentence prompts. No advanced hacking. No zero-day exploits. Just an employee asking Claude's agent to do what it's built to do.

First test: "Summarize this Salesforce data and paste it into an Outlook draft." Done.

Second test: "Archive these files and transfer them through the Cowork app." Executed.

In both cases, the researchers spent 10 to 30 minutes setting up the exfiltration. That's it. The agent had direct access to corporate cloud apps, downloaded production documentation from OneDrive, pulled data from SharePoint, read email, and grabbed anything sitting on the user's endpoint. Then it shared the haul externally through dedicated plugins and APIs.

No CVEs. No patch coming. The software worked exactly as designed.

The Dispatch Problem

What makes Claude Cowork so dangerous in an enterprise is its Dispatch tool. It lets you relay commands from your phone straight to your desktop agent. You don't have to be at your workstation. You don't trigger the same monitoring alarms. You give instructions from anywhere, and the agent executes them as if you were sitting right there.

That same agent also plugs into Salesforce AI agents that can read, move, and transfer business data. This is convenience baked into the product. And it grants near-total access to any system the user has touched.

A Simple Prompt, a Huge Leak

Here's what Claude Cowork can reach when connected to a standard corporate account:

• SharePoint files and folders
• OneDrive production documents
• Outlook email content and attachments
• Salesforce records and all data Salesforce can pull
• Any file on the user's local endpoint

For each of those, there's a plugin or API ready to exfiltrate data if the prompt asks. The agent doesn't question motives. It just carries out instructions.

Why Speed Kills — And You Can't See It

Alex Desmond, director of insider threat intelligence and innovation at DTEX, put the timeline in perspective. Six months ago, a ransomware execution took a couple of hours. Now, as AI agents become embedded in IT workflows, that kill chain has shrunk to 10 to 30 minutes for targeted data extraction.

“In cyberattacks, you talk about the kind of execution time of adversaries coming in and dropping ransomware, we’re now seeing the kill chain drop to 30 and 10 minutes depending on what they’re doing. Six months ago, that was a couple of hours.”

That speed changes everything. When an attacker works fast enough, your security team has almost no time to detect, investigate, and stop a breach. But here's the part most companies overlook: the same speed benefits anyone already inside your network.

North Korea's Favorite New Insider

Western IT and cybersecurity firms have been flooded with job applicants secretly working for the North Korean government. Their paychecks evade sanctions and fund Pyongyang's nuclear program. But more importantly, those people gain legitimate access to employer systems. Once inside, they can steal source code, customer databases, and internal documents.

Now imagine you give that person Claude Cowork. You've not only let a nation-state actor through the front door — you’ve handed them a shiny tool that automates the theft. Desmond put it bluntly:

“You’ve got a nation-state actor getting into an environment legitimately. Now if you gave them access to AI tools on top of that…you’re like ‘here’s the keys to everything and here’s this awesome tool that’s just going to make your job – stealing our data – easier.’”

That's not hypothetical. It's the new reality of insider threats where AI becomes an accomplice.

You Can't Catch What You Don't Log

Most organizations racing to adopt AI agents have not updated their monitoring to match. If you aren't logging and auditing every prompt your employees feed to Claude Cowork, you may never know how a data leak happened. Was it a malicious command? Did the agent misinterpret an innocent request? You won't have an answer.

Network and cloud monitoring tools might see data being downloaded from SharePoint, but that alone isn't a red flag anymore. If an employee's everyday job involves pulling sensitive files locally, adding an AI agent with the same access profile simply blends into the noise. You lose the signal.

The real fix is not a software patch. It's IT governance. You need access controls that limit what an AI agent can touch. You need audit logs for agent actions and prompts. You need to treat every AI tool as a high-privileged account, because that's exactly what it becomes the moment you connect it to your cloud apps and endpoints.

Claude Cowork isn't broken. It's working exactly as advertised. The risk isn't a vulnerability, it's the way companies are deploying it without the guardrails that any human privileged user would face. And that oversight is what will burn them.