Outlook: Custom Instructions for draft with Copilot

🚨 The Signal: Copilot in Outlook now allows custom instructions for drafting emails, enabling users to refine tone and length. This increases the risk of sensitive data exposure through less controlled AI outputs.

The Impact

All users leveraging Copilot for email drafting are affected, increasing the risk of inadvertent sensitive information disclosure.

• End users: Risk of oversharing sensitive data via AI-generated content.
• Security Team: Increased surface area for prompt injection attacks.
• Compliance Team: New challenges in monitoring and auditing AI-generated communications.
• AI Governance: Requires updated policies for responsible AI use in communications.

The Action

1. Review and update existing Responsible AI policies to include guidelines for custom instructions in Copilot.
2. Educate users on the risks of prompt injection and oversharing when using custom instructions.
3. Monitor Copilot usage logs for unusual patterns or data exfiltration attempts.
4. Implement Microsoft Purview Data Loss Prevention (DLP) policies to detect and block sensitive information in AI-generated emails.
5. Consider implementing Microsoft Defender for Cloud Apps policies to monitor Copilot interactions.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps