Microsoft Copilot (Microsoft 365): Copilot Chat now supports more file types in search grounding.

🚨 The Signal: Copilot Chat now processes more file types for search, expanding its data grounding. This increases the attack surface for sensitive information disclosure if data governance is not robust.

The Impact

All users are affected, with an increased risk of sensitive data exposure through Copilot Chat if access controls are not properly configured.

• End Users: May inadvertently expose sensitive data by querying Copilot if underlying file permissions are too broad.
• Security Teams: Must re-evaluate data access policies and Copilot's grounding scope to prevent unintended information disclosure.
• Data Owners: Need to verify permissions on newly supported file types to ensure they align with 'need-to-know' principles.
• Compliance Officers: Face increased scrutiny on data handling and retention policies due to expanded Copilot data access.

The Action

1. Review Microsoft Purview Data Loss Prevention (DLP) policies to ensure coverage for newly supported file types accessed by Copilot.
2. Audit SharePoint Online and OneDrive for Business site permissions and file-level access for sensitive documents.
3. Implement or refine Microsoft Puriva Information Protection (MIP) sensitivity labels for all relevant file types.
4. Educate users on responsible Copilot usage, emphasizing that Copilot respects existing file permissions.
5. Monitor Copilot usage logs for unusual access patterns or queries that might indicate data overexposure.

Domain: Agentic-AI · Impact: high · Workload: Other