Microsoft Copilot (Microsoft 365): The Create Module in the M365 Copilot app

🚨 The Signal: A new 'Create Module' in Microsoft 365 Copilot centralises AI-driven content generation. This expands the attack surface for data exfiltration and prompt injection, requiring enhanced data governance and monitoring.

The Impact

All users leveraging Copilot are affected, increasing the risk of sensitive data exposure and intellectual property theft via AI-generated content.

• End users: Risk of inadvertently exposing sensitive data through AI-generated content.
• Security teams: Increased complexity in monitoring and preventing data exfiltration.
• Compliance officers: New challenges in demonstrating data residency and intellectual property protection.
• Administrators: Need to review and update data loss prevention (DLP) policies for AI outputs.

The Action

1. Review and update Microsoft Purview DLP policies to include Copilot-generated content and outputs.
2. Implement sensitivity labels for all AI-generated content to ensure proper data classification.
3. Educate users on responsible AI use, data handling, and the risks of prompt injection.
4. Monitor Copilot usage logs for unusual activity or excessive generation of sensitive content.
5. Assess existing data retention policies for AI-generated artifacts within Microsoft 365.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps