The "M365 Suspicious Copilot for M365 Access" detection identifies when a session using the Copilot for M365 feature originates from an atypical location for the user or environment. This detection helps identify potential misuse of M365 Copilot for reconnaissance or data extraction within an organization's Microsoft 365 ecosystem.
Attackers who have compromised an account might use M365 Copilot to streamline the discovery of sensitive information within the environment. By leveraging Copilot, attackers can quickly access documented internal knowledge such as IT policies, credentials, and other strategic information, enabling them to plan subsequent attack phases more effectively.
Legitimate users may access M365 Copilot from an unusual location due to travel or remote work. While the behavior may appear suspicious, it could align with standard business activities, such as remote employees using secure connections from different geographic areas.
A user’s account logs in from an overseas location and initiates a Copilot session. This could signal an attacker leveraging Copilot for reconnaissance.
An employee working remotely uses Copilot from a location unfamiliar to the organization's usual activity logs. Verification confirms legitimate usage.
If this detection indicates a genuine threat, the organization faces significant risks:
Attackers using Copilot can mine critical knowledge, gaining insights that could facilitate further attacks and compromise the organization’s security posture.
Sensitive documents and emails accessed via Copilot can be exposed without leaving easily traceable logs, presenting a significant data loss risk.
The potential for undetected reconnaissance using M365 Copilot poses a risk of ongoing knowledge theft, impacting long-term security monitoring and response capabilities.
Check access logs for unusual login locations and correlate them with other suspicious activities involving the account.
Reach out to the account owner to verify if the Copilot access was authorized and if it aligns with their current tasks.
Examine if the Copilot session was followed by other suspicious actions, such as unusual data downloads or file access.
Ensure that this detection is not part of a broader pattern of suspicious activities involving the same account.
It indicates access to M365 Copilot from an unusual location, potentially by an attacker using stolen credentials.
Review the user's access details and reach out for verification. Check related activities for any signs of malicious behavior.
To gather information that can aid in lateral movement, persistence, or data exfiltration.
Yes, remote work or travel could result in unexpected access locations, though these should be verified.
Monitor the account for subsequent suspicious behavior and consider implementing location-based access restrictions.
M365 Copilot can provide comprehensive access to documented information, posing a high risk if misused.
Yes, if a legitimate user accesses Copilot from an approved but uncommon location.
Copilot's functionality might not always log which files are accessed to generate responses, making it difficult to trace the full scope of its use.
Yes, attackers can leverage knowledge gained from Copilot to exfiltrate or misuse sensitive data.
Unusual eDiscovery searches or suspicious login events can complement this detection in identifying potential account compromise.