1. Unauthorized Copilot Use from Abroad
A user’s account logs in from an overseas location and initiates a Copilot session. This could signal an attacker leveraging Copilot for reconnaissance.
2. Legitimate Remote Worker with Access
An employee working remotely uses Copilot from a location unfamiliar to the organization's usual activity logs. Verification confirms legitimate usage.