Excel: Summarize text columns with Copilot

🚨 The Signal: Copilot in Excel can now summarise text columns, generating categories or tags from unstructured data like survey responses. This enhances data analysis but introduces new vectors for data exposure and prompt injection risks.

The Impact

All users interacting with Copilot in Excel are affected, increasing the risk of sensitive data exposure and prompt injection.

• End users: Risk of inadvertently exposing sensitive data through Copilot summaries.
• Security team: Increased surface area for prompt injection attacks via Excel data.
• Data owners: Need to re-evaluate data classification for unstructured text in Excel.
• Compliance officers: New considerations for data retention and privacy with AI-generated summaries.

The Action

1. Review and enforce Microsoft Purview Data Loss Prevention (DLP) policies for Excel documents containing sensitive information.
2. Educate users on responsible AI usage, data sensitivity, and prompt engineering best practices when using Copilot in Excel.
3. Implement and monitor Microsoft Defender for Cloud Apps policies to detect unusual data sharing or access patterns involving Excel files.
4. Regularly audit Copilot usage logs for anomalous activity or potential prompt injection attempts.
5. Ensure data classification labels are applied consistently to Excel files, especially those with unstructured text.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps