M365 Suspicious Copilot for M365 Access

Triggers

• A Copilot for M365 session was initiated by a user originating from a location that is unusual for the user and/or environment within the context of this functionality.

Possible Root Causes

• An attacker may be using the Copilot for M365 functionality to simplify their ability to discover knowledge documented within your environment that can help them enable their next steps within your environment (i.e. IT policies and procedures, documented static passwords/accounts, etc.).
• An attacker may be using the Copilot for M365 functionality to simplify the discovery and extraction of sensitive information from e-mails stored within the M365 environment.
• A legitimate user has accessed this functionality from a location that is not typical for your environment, but is using the functionality for benign/approved use cases.

Business Impact

• An attacker utilizing Copilot for M365 can simplify the process of mining important knowledge about your organization and hide files that were accessed to support gaining that knowledge. This is because Copilot for M365 does not always log the files accessed to provide a response.

Steps to Verify

• This detection is most interesting when it is accompanied by other detections indicating this account may be compromised.
• Review whether the unusual location aligns with what is expected for this user.
• Consult the available logs to determine if the activity prior to the registration is as expected.
• If warranted, reach out to the account owner to confirm they accessed this functionality in this way.