Microsoft Copilot (Microsoft 365): Copilot Chat in Word, Excel, PowerPoint, OneNote, and Outlook for DoD

🚨 The Signal: Copilot Chat is now directly accessible within Microsoft 365 apps (Word, Excel, PowerPoint, OneNote, Outlook) for DoD tenants. This streamlines AI assistance, but increases the potential for data exposure and prompt injection risks within documents.

The Impact

DoD users are affected, increasing the risk of sensitive data exposure and prompt injection through integrated AI.

• End-users: Increased risk of inadvertently exposing sensitive data to Copilot.
• Security Teams: New vectors for prompt injection attacks within M365 applications.
• Data Owners: Potential for unapproved data egress via Copilot's summarization and generation.
• Compliance Officers: Challenges in maintaining data classification and handling standards.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to specifically address Copilot interactions and sensitive data handling within M365 apps.
2. Implement or refine Microsoft Entra Conditional Access policies to restrict Copilot access based on device compliance, location, or user risk.
3. Educate users on secure prompting techniques, data classification, and the risks of sharing sensitive information with Copilot.
4. Monitor Microsoft Purview Audit logs for Copilot activities, especially those involving sensitive data or unusual interactions.
5. Evaluate and configure Copilot data residency and interaction settings within the Microsoft 365 admin center to align with DoD requirements.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps