Microsoft Copilot (Microsoft 365): [Copilot Extensibility] Users can explore third-party content in Copilot chat with deep citations and side-by-side previews

🚨 The Signal: Copilot can now access and cite third-party content directly within chat, displaying deep citations and side-by-side previews. This expands Copilot's data access, increasing the potential for data exposure from external sources.

The Impact

All users are affected, with a high risk of unintended data exposure through Copilot's interaction with third-party content.

• End users: Risk of inadvertently sharing sensitive internal data with third-party services.
• Security teams: Increased surface area for data exfiltration and compliance violations.
• Admins: New configurations required to manage Copilot's access to third-party content.
• Compliance officers: Potential for non-compliance with data residency and privacy regulations.

The Action

1. Review and configure Copilot's data access policies for third-party content in the Microsoft 365 admin center.
2. Implement Data Loss Prevention (DLP) policies specifically for Copilot interactions with external services.
3. Educate users on the risks of sharing sensitive information when Copilot interacts with third-party content.
4. Monitor Copilot audit logs for unusual activity related to third-party content access.
5. Assess third-party connectors and their data handling practices within the Copilot ecosystem.

Domain: Agentic-AI · Impact: high · Workload: Other