Microsoft Copilot (Microsoft 365): Drafting on a selection includes being able to reference files, people, emails, and meetings

🚨 The Signal: Copilot can now reference files, people, emails, and meetings when drafting content based on selected text. This expands Copilot's data access, increasing the risk of oversharing sensitive information if not properly governed.

The Impact

All users are affected, increasing the risk of sensitive data exposure through Copilot's expanded contextual access.

• End users: Increased risk of inadvertently exposing sensitive data to Copilot.
• Security teams: Need to re-evaluate data loss prevention (DLP) policies for Copilot interactions.
• Data owners: Potential for sensitive information to be used in new contexts without explicit consent.
• Compliance officers: Requires review of data handling and privacy policies for Copilot usage.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to specifically address Copilot interactions and sensitive information types.
2. Educate end-users on responsible Copilot usage, emphasising the sensitivity of referenced content and the 'least privilege' principle for data access.
3. Audit Copilot usage logs (if available) for unusual data access patterns or sensitive information handling.
4. Ensure sensitivity labels are consistently applied to documents, emails, and meetings to guide Copilot's data handling.
5. Review Microsoft 365 tenant settings for Copilot data access and sharing permissions.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps