Microsoft Copilot (Microsoft 365): Drafting on a selection includes being able to reference files, people, emails, and meetings

🚨 The Signal: Copilot can now reference files, people, emails, and meetings when drafting content from selected text. This expands Copilot's data access and potential for information synthesis, increasing the risk of oversharing or data leakage if not properly governed.

The Impact

All users are affected, increasing the risk of inadvertent data exposure through Copilot's enhanced data referencing capabilities.

• End-users: Risk of oversharing sensitive information via Copilot.
• Security Teams: Increased surface area for data leakage and compliance breaches.
• Data Owners: Potential for unauthorized access to sensitive documents.
• Compliance Officers: Greater challenge in maintaining data governance and audit trails.

The Action

1. Review and enforce Microsoft Purview Data Loss Prevention (DLP) policies for Copilot interactions.
2. Audit existing sensitivity labels and ensure proper classification of sensitive data.
3. Implement or refine Information Barriers to prevent unauthorized communication flows.
4. Educate users on responsible Copilot usage and data handling best practices.
5. Monitor Copilot activity logs for unusual data access patterns or sharing events.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps