Microsoft Copilot (Microsoft 365): Audio summary of your file

🚨 The Signal: Copilot can now generate audio summaries of files, converting text to speech. This expands data exfiltration vectors and increases the risk of sensitive information being consumed audibly in uncontrolled environments.

The Impact

All users are affected, increasing the risk of sensitive data exposure through audio summaries.

• End Users: Risk of inadvertently exposing sensitive data via audio in public.
• Security Teams: Increased surface area for data exfiltration and compliance monitoring.
• Compliance Officers: New vector for data leakage, complicating audit and compliance.
• Admins: Need to review and update DLP policies for audio content.

The Action

1. Review existing Microsoft Purview DLP policies to include audio content types and sensitive information types.
2. Implement or update Information Protection sensitivity labels to classify files containing sensitive data.
3. Educate users on the risks of playing audio summaries of sensitive files in public or unsecured environments.
4. Monitor Microsoft Purview audit logs for unusual access or sharing patterns related to audio summaries.
5. Consider restricting Copilot access for users handling highly sensitive data if DLP controls are insufficient.

Domain: Agentic-AI · Impact: high · Workload: OneDrive