Reconnaissance

M365 Suspicious Copilot for M365 Access

M365 Suspicious Copilot for M365 Access

Detection overview

The "M365 Suspicious Copilot for M365 Access" detection identifies when a session using the Copilot for M365 feature originates from an atypical location for the user or environment. This detection helps identify potential misuse of M365 Copilot for reconnaissance or data extraction within an organization's Microsoft 365 ecosystem.

Triggers

  • A Copilot for M365 session was initiated by a user originating from a location that is unusual for the user and/or environment within the context of this functionality.

Possible Root Causes

  • An attacker may be using the Copilot for M365 functionality to simplify their ability to discover knowledge documented within your environment that can help them enable their next steps within your environment (i.e. IT policies and procedures, documented static passwords/accounts, etc.).
  • An attacker may be using the Copilot for M365 functionality to simplify the discovery and extraction of sensitive information from e-mails stored within the M365 environment.
  • A legitimate user has accessed this functionality from a location that is not typical for your environment, but is using the functionality for benign/approved use cases.

Business Impact

  • An attacker utilizing Copilot for M365 can simplify the process of mining important knowledge about your organization and hide files that were accessed to support gaining that knowledge. This is because Copilot for M365 does not always log the files accessed to provide a response.

Steps to Verify

  • This detection is most interesting when it is accompanied by other detections indicating this account may be compromised.
  • Review whether the unusual location aligns with what is expected for this user.
  • Consult the available logs to determine if the activity prior to the registration is as expected.
  • If warranted, reach out to the account owner to confirm they accessed this functionality in this way.
M365 Suspicious Copilot for M365 Access

Possible root causes

Malicious Detection

Attackers who have compromised an account might use M365 Copilot to streamline the discovery of sensitive information within the environment. By leveraging Copilot, attackers can quickly access documented internal knowledge such as IT policies, credentials, and other strategic information, enabling them to plan subsequent attack phases more effectively.

Benign Detection

Legitimate users may access M365 Copilot from an unusual location due to travel or remote work. While the behavior may appear suspicious, it could align with standard business activities, such as remote employees using secure connections from different geographic areas.

M365 Suspicious Copilot for M365 Access

Example scenarios

1. Unauthorized Copilot Use from Abroad

A user’s account logs in from an overseas location and initiates a Copilot session. This could signal an attacker leveraging Copilot for reconnaissance.

2. Legitimate Remote Worker with Access

An employee working remotely uses Copilot from a location unfamiliar to the organization's usual activity logs. Verification confirms legitimate usage.

M365 Suspicious Copilot for M365 Access

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Organizational Knowledge Exposure

Attackers using Copilot can mine critical knowledge, gaining insights that could facilitate further attacks and compromise the organization’s security posture.

Data Extraction Risk

Sensitive documents and emails accessed via Copilot can be exposed without leaving easily traceable logs, presenting a significant data loss risk.

Operational Security Challenge

The potential for undetected reconnaissance using M365 Copilot poses a risk of ongoing knowledge theft, impacting long-term security monitoring and response capabilities.

M365 Suspicious Copilot for M365 Access

Steps to investigate

M365 Suspicious Copilot for M365 Access

MITRE ATT&CK techniques covered

FAQs

What does this detection signify?

It indicates access to M365 Copilot from an unusual location, potentially by an attacker using stolen credentials.

What should I do if this detection is triggered?

Review the user's access details and reach out for verification. Check related activities for any signs of malicious behavior.

What are common attacker objectives with Copilot misuse?

To gather information that can aid in lateral movement, persistence, or data exfiltration.

Could this relate to travel or remote work?

Yes, remote work or travel could result in unexpected access locations, though these should be verified.

What further steps are recommended?

Monitor the account for subsequent suspicious behavior and consider implementing location-based access restrictions.

Why is this significant?

M365 Copilot can provide comprehensive access to documented information, posing a high risk if misused.

Can this detection be benign?

Yes, if a legitimate user accesses Copilot from an approved but uncommon location.

How does Copilot usage avoid detection?

Copilot's functionality might not always log which files are accessed to generate responses, making it difficult to trace the full scope of its use.

Is data exfiltration possible with this detection?

Yes, attackers can leverage knowledge gained from Copilot to exfiltrate or misuse sensitive data.

Are there related detections that should be monitored?

Unusual eDiscovery searches or suspicious login events can complement this detection in identifying potential account compromise.