Microsoft Edge: Ground Microsoft 365 Copilot Chat in Edge for Business in your open YouTube videos

🚨 The Signal: Copilot Chat in Edge for Business can now summarise YouTube videos. This introduces new data exfiltration vectors and potential for sensitive information exposure if not properly governed.

The Impact

All users are affected, with the primary security risk being the potential for sensitive internal data to be inadvertently processed or exfiltrated via Copilot's interaction with external content.

• End users: Risk of unintentional disclosure of sensitive data through Copilot prompts.
• Security teams: Increased surface area for data exfiltration and compliance monitoring challenges.
• Admins: New configuration requirements to manage data boundaries and Copilot access.
• Organisations: Potential for non-compliance with data handling policies and regulatory requirements.

The Action

1. Review and enforce Microsoft Purview Data Loss Prevention (DLP) policies to prevent sensitive data from being used in Copilot prompts.
2. Configure Microsoft Edge for Business policies to control Copilot access to external content, specifically YouTube.
3. Educate users on appropriate use of Copilot Chat, emphasising the risks of inputting sensitive organisational data.
4. Monitor Copilot usage logs for unusual activity or potential data exfiltration attempts.
5. Implement Conditional Access policies to restrict Copilot access based on device compliance or network location.

Domain: Agentic-AI · Impact: high · Workload: Other