Microsoft Copilot vulnerability affecting audit logs

A significant security vulnerability in Microsoft’s Copilot for M365 has allowed users, including potential malicious insiders, to access sensitive files without leaving a trace in audit logs. After patching the flaw, Microsoft chose not to issue a formal CVE or notify customers, leaving organizations unaware that their security logs may be critically incomplete.

Microsoft Copilot vulnerability affecting audit logsMicrosoft Copilot vulnerability affecting audit logs

Discovered by a researcher at Pistachio, the vulnerability was easy to exploit. Normally, actions taken by Copilot, such as summarizing a file, are recorded in the M365 audit log. However, by instructing Copilot not to provide a reference link to the summarized file, the action would go unlogged, creating a digital blind spot for security teams. This could enable a malicious employee to exfiltrate confidential data without detection.

Microsoft Copilot vulnerability affecting audit logsMicrosoft Copilot vulnerability affecting audit logs

The implications are severe for organizations in regulated industries like healthcare and finance, which rely on accurate audit logs for compliance with standards like HIPAA. The researcher described a frustrating disclosure process with Microsoft, which began patching the issue on August 17 without clear communication.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security