Outlook: Copilot Pages – View, edit & share in Outlook Mobile

🚨 The Signal: Copilot Pages, which allow collaborative AI content creation, are now viewable, editable, and shareable on Outlook Mobile. This expands the attack surface for sensitive information exposure and prompt injection via mobile devices.

The Impact

All users are affected, increasing the risk of sensitive data exposure and prompt injection attacks through mobile devices.

• End users: Increased risk of accidental data exposure via mobile sharing.
• Security teams: New mobile vector for prompt injection attacks and data loss.
• Compliance teams: Challenges in maintaining data governance on mobile platforms.
• Administrators: Need to review mobile access policies for Copilot content.

The Action

1. Review and enforce Microsoft Intune App Protection Policies (APP) for Outlook Mobile to restrict data sharing and saving.
2. Implement Conditional Access policies to control mobile device access to Copilot features based on device compliance and location.
3. Educate users on secure handling of Copilot-generated content on mobile, emphasizing data classification and sharing policies.
4. Monitor Microsoft Purview audit logs for unusual sharing or access patterns of Copilot Pages from mobile devices.
5. Review and update AI governance policies to specifically address mobile access and sharing of AI-generated content.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps