Microsoft Copilot (Microsoft 365): [Copilot Chat] Search based user RSVP status

🚨 The Signal: Copilot Chat can now search meeting RSVP statuses, including who accepted or declined. This expands Copilot's access to sensitive calendar data, increasing potential for information disclosure via natural language queries.

The Impact

All users are affected, increasing the risk of sensitive meeting attendance information being inadvertently disclosed.

• End Users: Risk of oversharing meeting attendance details.
• Security Team: Increased surface area for data leakage via Copilot.
• Privacy Officer: New considerations for meeting privacy and data access.
• Compliance Team: Potential for non-compliance with data handling policies.

The Action

1. Review existing Copilot data governance policies for meeting and calendar data access.
2. Educate users on responsible prompting and the types of information Copilot can now access.
3. Monitor Copilot usage logs for unusual queries related to meeting attendance.
4. Assess sensitivity labels for meeting invitations and calendar entries to restrict access where necessary.
5. Consider implementing Copilot access controls or prompt engineering guidelines to mitigate disclosure risks.

Domain: Agentic-AI · Impact: medium · Workload: M365 Apps