Microsoft Copilot (Microsoft 365): [Copilot Chat] Email attachment summarization (Classic Attachments)

🚨 The Signal: Copilot Chat can now summarise content from email attachments (Word, Excel, PowerPoint, PDF, Text, JSON, XML). This expands Copilot's data access, increasing the risk of sensitive information exposure through AI summarisation.

The Impact

All users are affected, increasing the risk of sensitive data exposure through Copilot's expanded summarisation capabilities.

• End users: Increased risk of inadvertently exposing sensitive data through Copilot Chat.
• Security teams: New vector for data exfiltration and compliance breaches via AI summarisation.
• Data owners: Potential for sensitive information in attachments to be processed and summarised by Copilot.
• Compliance officers: Requires review of data handling policies for AI interactions with email attachments.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to specifically address Copilot interactions with sensitive email attachment content.
2. Educate users on responsible use of Copilot Chat, emphasising the risks of summarising sensitive information from attachments.
3. Monitor Copilot usage logs for unusual activity related to attachment summarisation, particularly for high-value data.
4. Evaluate existing information classification labels and ensure they are effectively applied to email attachments to guide Copilot's data handling.
5. Consider implementing sensitivity labels that restrict Copilot's ability to process highly sensitive content.

Domain: Agentic-AI · Impact: high · Workload: Other