Microsoft 365 Copilot Notebooks: Support for TXT and RTF files as notebook references
🚨 The Signal: Copilot Notebooks now support TXT and RTF files as reference sources, expanding the data Copilot can process. This increases the attack surface for data exfiltration and prompt injection, requiring careful data governance.
The Impact
Users with Copilot Notebooks are affected, increasing the risk of sensitive data exposure and prompt injection attacks.
- End users: Increased risk of inadvertently exposing sensitive data to Copilot.
- Security team: Expanded data ingestion increases the attack surface for prompt injection.
- Data owners: Broader data access requires re-evaluation of data classification and labeling.
- Compliance officers: Need to verify existing policies adequately cover new file types in Copilot.
The Action
- Review and update Microsoft Purview Data Loss Prevention (DLP) policies to ensure TXT and RTF files containing sensitive information are appropriately protected when used with Copilot.
- Educate users on the responsible use of Copilot Notebooks, emphasizing the risks of uploading sensitive or proprietary information.
- Assess existing data classification and labeling policies to confirm they adequately cover TXT and RTF files and their interaction with Copilot.
- Monitor Copilot usage logs for unusual activity or attempts to exfiltrate data via prompt engineering.
Domain: Agentic-AI · Impact: high · Workload: M365 Apps