Microsoft Copilot (Microsoft 365): Current web content included when drafting with Copilot in Word

🚨 The Signal: Copilot in Word now integrates Bing search for drafting, pulling current web content. This expands the data sources Copilot can access, increasing the risk of sensitive information exposure if not properly governed.

The Impact

All users leveraging Copilot in Word are affected, increasing the risk of inadvertent exposure of sensitive internal data through web-sourced content or prompt injection.

• End users: Risk of generating content that inadvertently mixes internal sensitive data with public web data.
• Security teams: Increased surface area for data leakage and prompt injection attacks via web content.
• Compliance officers: New challenges in demonstrating data residency and compliance with data handling policies.
• Administrators: Need to review and potentially update Copilot data governance policies.

The Action

1. Review and reinforce Microsoft Purview Data Loss Prevention (DLP) policies for Copilot interactions.
2. Educate users on responsible prompting and the potential for Copilot to access and integrate web content.
3. Monitor Copilot activity logs for unusual data access patterns or content generation.
4. Assess existing data classification and labelling policies to ensure they adequately protect data when used with Copilot.
5. Consult the Microsoft Purview compliance portal for Copilot data governance settings.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps