Microsoft Copilot (Microsoft 365): Copilot Chat in Word, Excel, PowerPoint, and OneNote for GCC-M

🚨 The Signal: Copilot Chat is now directly accessible within Word, Excel, PowerPoint, and OneNote for GCC-M users. This increases the surface area for data exposure and prompt injection risks within M365 applications.

The Impact

All GCC-M users are affected, increasing the risk of sensitive data exposure and prompt injection attacks through Copilot.

• End-users: Increased risk of inadvertently exposing sensitive data to Copilot.
• Security Teams: New vectors for prompt injection attacks within M365 apps.
• Data Owners: Greater challenge in controlling data flow and preventing unauthorized disclosure.
• Compliance Officers: Enhanced need for data governance and AI usage policy enforcement.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to specifically address Copilot interactions and sensitive data handling.
2. Implement or refine Microsoft Entra Conditional Access policies to restrict Copilot access based on device compliance, location, or user risk.
3. Educate users on secure prompting techniques and the risks of sharing sensitive information with Copilot.
4. Monitor Microsoft 365 audit logs for unusual Copilot activity or data access patterns.
5. Evaluate and update your organization's AI usage policy to reflect in-app Copilot chat capabilities.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps