Microsoft Copilot (Microsoft 365): Outlook Emails in Copilot Notebooks

🚨 The Signal: Copilot Notebooks can now reference Outlook emails, allowing users to ground AI responses in email content. This expands the data sources Copilot can access, increasing context but also potential data exposure.

The Impact

All users interacting with Copilot Notebooks are affected, increasing the risk of inadvertent sensitive information exposure through AI outputs.

• End Users: Risk of oversharing sensitive email content if not careful with Copilot prompts.
• Security Teams: Increased surface area for data leakage, requiring enhanced monitoring and data governance policies.
• Compliance Teams: New challenges in tracking and auditing sensitive data usage within AI contexts.
• Admins: Need to review and potentially update data loss prevention (DLP) policies for Copilot interactions.

The Action

1. Review and update existing Microsoft Purview Data Loss Prevention (DLP) policies to include Copilot Notebooks and email content.
2. Educate users on responsible AI usage, emphasizing not to include sensitive information in prompts or allow Copilot to access inappropriate email content.
3. Monitor Copilot usage logs for unusual data access patterns or potential oversharing of sensitive information.
4. Assess data residency implications for email content processed by Copilot, especially for multi-national organizations.
5. Implement sensitivity labels on emails to ensure Copilot respects data classifications when generating content.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview