Microsoft Copilot has emerged as a game changer for employee productivity — when security risks are considered. Whether writing emails, developing code, sorting company data, or analyzing financial reports, Copilot is a powerful resource for boosting efficiency across virtually every department.
However, as with any technological innovation, there are challenges. In the case of Microsoft Copilot for M365, cybersecurity risks can arise from neglected and misconfigured permission and security settings. When left unchecked, these settings enable insider threats to surface data while also helping criminals steal data in the event of compromised account usage. This adds to the risk posed to businesses for a major breach.
Understanding the Risks of Microsoft Copilot
While organizations should embrace Copilot’s productivity benefits, they also must understand and prepare for its potential risks. Business leaders must fine-tune their M365 settings for security, specifically for SharePoint Online. This is so that employees can fully leverage its benefits without increasing risk.
It’s common for many organizations to quickly deploy new digital tools without considering that default settings may lack a focus on security. In the case of Copilot, the state of other security aspects within their organization may lead to its misuse. However, all organizations should give this due attention. This is especially true if they operate in highly regulated environments, such as finance or healthcare. These fields require a certain level of protection to comply with industry regulations.
Potential Security Threats and Misconfigurations
Because Copilot is directly integrated into Microsoft 365, it is designed to have access to the vast swaths of data within a given M365 tenant by default. For instance, Copilot can pull notes from Microsoft Word documents to create a schedule for a new work project. It can also recall emails from Outlook to create a weekly planner or pull numbers from an Excel spreadsheet to create a quarterly report. While this feature is convenient, it’s also a potential liability for private businesses and MSPs managing highly sensitive or confidential data.
Neglect and mismanagement of M365’s settings for sharing and collaboration are common issues that require a high degree of operational maturity to properly address, especially for older M365 tenants. Neglect and mismanagement of settings and permissions potentially give employees access to view and connect data sets. Without properly managed security settings in M365, this poses a severe risk.
Allowing the entire company workforce access to more data than is required to do their job elevates the chance of employees unknowingly using private or sensitive information via Copilot. It also increases the risk of it falling into the hands of threat actors through cyberattacks.
Andy Syrewicze
How Threat Actors Exploit Copilot Vulnerabilities
Threat actors have many options for exploiting M365’s default permission and security settings, but social engineering is among the most popular. For example, a threat actor can pretend to be a legitimate company employee and ask another person to provide information for an internal presentation. They may even provide a pre-built prompt for Copilot in the process. If the target employee is successfully tricked and provides the threat actor with the information, the organization is now in a data breach situation. Sadly, the targeted employee may not even stop to consider the sensitive nature of what they’re sharing.
Additionally, an insider threat might steal internal data found in Copilot and use it for nefarious purposes. Without the right M365 permissions established for SharePoint Online and OneDrive for Business, an employee using Copilot might simply stumble across personnel information that, if shared, would breach data privacy regulations, not to mention causing unrest among the workforces.
Default permissions are problematic if a threat actor manages to steal account credentials as well. This is becoming increasingly common with reverse-proxy-style credential theft toolkits like Evilginx and the W3ll phishing kit. Stolen M365 credentials would give these criminals access to Copilot, and by extension, any data the program can access. With skilled prompt engineering, threat actors can access data sets that haven’t been safeguarded by manipulating systems.
Best Practices to Mitigate Copilot Security Risks
Lax controls around SharePoint Online and OneDrive for Business can compromise security. That said, you can take steps to mitigate these risks. Among them:
- Align settings to ensure access to sensitive data is granted only to those who need it.
- Regularly conduct audits of security settings to ensure that necessary settings remain in place.
- Train employees to responsibly manage any sensitive data and identify potential threats to the organization.
- Implement a Zero Trust security model, treating all requests as untrustworthy by default and verifying user authenticity.
Copilot is an invaluable tool for enhancing productivity, but it’s essential to address M365’s permission settings for safe and effective usage. Follow these best practices to leverage Copilot effectively while keeping data safe and secure.
Andy Syrewicze is a 20-year IT pro specializing in M365, cloud technologies, security, and infrastructure. By day, he’s a security evangelist for Hornetsecurity, leading technical content. By night, he shares his IT knowledge online or over a cold beer. He holds the Microsoft MVP award in Security.
Featured image: iStock
