Microsoft Copilot (Microsoft 365): Copilot Pages module on Microsoft 365 Copilot mobile app

🚨 The Signal: Copilot Pages are now accessible on the Microsoft 365 Copilot mobile app. This expands the attack surface for sensitive information accessed via mobile devices, increasing data exfiltration risk.

The Impact

All users accessing Copilot on mobile are affected, increasing the risk of sensitive data exposure and exfiltration.

• End-users: Increased risk of accidental data exposure on unsecured mobile devices.
• Security Teams: Expanded scope for data loss prevention (DLP) policies on mobile.
• Admins: Need to ensure mobile device management (MDM) policies cover Copilot data.
• Compliance Teams: New considerations for data residency and handling on mobile.

The Action

1. Review existing Microsoft Intune App Protection Policies (APP) for Microsoft 365 apps to ensure Copilot data is protected.
2. Verify Conditional Access policies enforce device compliance for mobile access to Microsoft 365 services.
3. Educate users on secure mobile device practices and handling of sensitive information accessed via Copilot.
4. Assess Microsoft Purview Data Loss Prevention (DLP) policies for mobile endpoints to prevent exfiltration of Copilot-generated content.

Domain: Agentic-AI · Impact: medium · Workload: M365 Apps