Microsoft Copilot (Microsoft 365): Overview of recent comments and changes in Word, Excel, PowerPoint

🚨 The Signal: Copilot can now summarise document changes and comments in Word, Excel, and PowerPoint. This enhances data visibility for users but increases the risk of sensitive information exposure if access controls are not robust.

The Impact

All users are affected, increasing the risk of inadvertent sensitive data exposure through Copilot's summarisation capabilities.

• End Users: Risk of oversharing sensitive document changes through Copilot summaries.
• Security Teams: Increased surface area for data exfiltration and compliance breaches.
• Data Owners: Potential for sensitive information to be summarised and exposed to unauthorised viewers.
• Compliance Officers: New challenge in monitoring and auditing information flow within documents.

The Action

1. Review and enforce existing Microsoft Purview Data Loss Prevention (DLP) policies for Word, Excel, and PowerPoint.
2. Educate users on responsible use of Copilot, emphasising not to summarise or share documents containing sensitive information without proper authorisation.
3. Implement or refine sensitivity labels in Microsoft Purview to automatically protect and restrict access to sensitive documents.
4. Monitor Microsoft 365 audit logs for Copilot activities, specifically focusing on document summarisation and sharing events.
5. Assess and update information handling policies to explicitly address AI-driven summarisation features and their implications for sensitive data.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps