Microsoft Copilot (Microsoft 365): Web Link as a Reference in Copilot Notebooks

🚨 The Signal: Copilot Notebooks now allow web links as references. This expands the data sources Copilot can process, increasing potential exposure of sensitive information if not properly governed.

The Impact

All Copilot users are affected, increasing the risk of inadvertent sensitive data exposure and potential prompt injection via external links.

• End users: Risk of inadvertently exposing sensitive internal data by referencing external, untrusted web links.
• Security teams: Increased surface area for data exfiltration and prompt injection attacks through external content.
• Compliance officers: New challenges in tracking data provenance and ensuring sensitive information is not processed by Copilot from untrusted sources.

The Action

1. Review and update Copilot data governance policies to explicitly address external web link references.
2. Educate users on the risks of referencing untrusted or sensitive external web content in Copilot Notebooks.
3. Monitor Copilot usage logs for unusual activity related to external data ingestion.
4. Implement Microsoft Purview policies to detect and prevent sensitive information from being processed by Copilot from untrusted sources.

Domain: Agentic-AI · Impact: high · Workload: Other