SharePoint: Personal Skills in Copilot in SharePoint

🚨 The Signal: Users can now create personal Copilot skills in SharePoint and OneDrive, stored as markdown files. These skills travel across M365, enabling custom automation but introducing new vectors for data exfiltration and unauthorized access.

The Impact

All users are affected, with a high security risk due to potential for data exfiltration and unauthorized automation.

  • End Users: Risk of inadvertently creating or using malicious skills that exfiltrate data.
  • Security Teams: New challenge in monitoring and controlling custom Copilot skill usage and data access.
  • Admins: Increased complexity in managing data governance and preventing unauthorized automation.
  • Compliance Teams: Difficulty in demonstrating control over data flows and adherence to ISM requirements.

The Action

  1. Review and update existing data loss prevention (DLP) policies to include markdown files and Copilot skill content.
  2. Implement or refine information protection policies to classify and protect data accessed or generated by Copilot skills.
  3. Educate users on the secure creation and use of personal Copilot skills, emphasizing data handling best practices.
  4. Monitor Microsoft 365 audit logs for unusual activity related to Copilot skill creation, modification, and execution.
  5. Evaluate Microsoft Purview capabilities for governing Copilot interactions and custom skill usage.

Domain: Agentic-AI · Impact: high · Workload: SharePoint