Microsoft CoPilot (Microsoft 365): List email attachments in M365 Copilot

🚨 The Signal: Microsoft 365 Copilot can now list email attachments, increasing data exposure risk. This feature enhances Copilot's ability to access and summarise sensitive information within user mailboxes, potentially leading to inadvertent disclosure if not properly governed.

The Impact

All users leveraging Copilot are affected, increasing the risk of sensitive attachment data exposure through AI summarisation.

• End Users: Risk of inadvertent sharing of sensitive attachment content via Copilot.
• Security Teams: Increased data exposure surface requires stricter DLP and access controls.
• Compliance Teams: New considerations for data handling and retention policies with AI access.
• Admins: Need to review and potentially adjust Copilot access and data governance policies.

The Action

1. Review existing Microsoft Purview Data Loss Prevention (DLP) policies for Exchange Online to ensure they adequately cover attachment content accessed by Copilot.
2. Audit Microsoft 365 Copilot access policies in the Microsoft 365 admin center to restrict access for users handling highly sensitive information.
3. Implement or refine Information Barriers in Microsoft Purview to prevent Copilot from accessing attachments across restricted user segments.
4. Educate users on responsible Copilot usage, emphasising that sensitive attachment content may be summarised and presented.
5. Monitor Microsoft Purview Audit logs for Copilot activities involving sensitive attachments to detect unusual access patterns.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview