Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Microsoft 365 Copilot audit logging vulnerability

Published on: August 17, 2025

Share:
Microsoft 365 Copilot audit logging vulnerability

Overview

A vulnerability in Microsoft 365 Copilot (M365 Copilot) allowed users to access and summarize sensitive files without generating corresponding audit log entries—creating a significant blind spot for security monitoring. Microsoft quietly patched the issue on August 17, 2025, but classified it as “Important” and did not issue a CVE or formally notify customers.

Vulnerability Details

  • The vulnerability involves prompt manipulation in Microsoft Copilot.
  • Specifically, instructing Copilot to exclude reference links in file summaries prevented the associated user actions from being logged.
  • As a result, these actions bypassed audit logging mechanisms entirely, leaving no trace in Unified Audit Logs (UAL) or Microsoft Purview.
  • This behavior represents a serious logging oversight in environments that depend on Copilot-generated audit trails.

       Note: As of this advisory, Microsoft has not assigned a CVE ID to this issue.

How It Affects

  • Copilot prompts that exclude reference links bypass audit logging, preventing security and IT teams from tracking which files were accessed and by whom.
  • This creates blind spots in visibility and monitoring, making it difficult to detect or investigate user activity involving sensitive data.
  • Insider threats or malicious users could use this technique to summarize or extract sensitive information without leaving any trace in the logs.
  • Data Loss Prevention (DLP) systems relying on audit logs may fail to detect such unauthorized access or misuse.
  • The absence of audit records violates key compliance requirements (e.g., GDPR, HIPAA, SOX), increasing the risk of non-compliance and potential legal exposure

Who It Affects

  1. All Microsoft 365 Copilot users across tenants prior to August 18, 2025.
  2. Particularly impacts organizations in:
    1. Financial services
    2. Healthcare
    3. Government and defense
    4. Other regulated sectors that require strict audit and logging standards.

Impact

  • Security: Increased risk of data exfiltration or misuse going unnoticed.
  • Compliance: Potential violation of audit and retention mandates (e.g., HIPAA, SOX, GDPR).
  • Operational: Decreased trust in audit logs and limitations in threat detection and response.

Targeted Products

The vulnerability affects Microsoft 365 Copilot integrations across:

  • Web, desktop, and mobile platforms
  • Microsoft Office Suite, including:
    • Word
    • Excel
    • PowerPoint
    • Teams
    • Other apps with Copilot integration

Recommendations

1. Confirm Patch Status

  • Ensure the August 17, 2025 silent patch has been applied across all tenant environments.

2.Restrict Risky Prompt Usage

  • Temporarily limit prompts that bypass logging (e.g., those removing reference links). Use Microsoft 365 controls or policies to enforce safe Copilot usage, especially around sensitive data.

3.Apply DLP & Sensitivity Controls

  • Review and apply Data Loss Prevention (DLP) and Sensitivity Labels to restrict Copilot’s access to confidential or regulated content.

4. Train Users

  • Educate staff on responsible Copilot usage and discourage attempts to manipulate prompts.
  • Reinforce secure prompt engineering practices, especially for privileged users.

5. Engage Microsoft Support

  • Inquire about any retrospective fixes or additional monitoring capabilities.

References

https://cybersecuritynews.com/copilot-vulnerability-breaks-audit-logs/

https://gbhackers.com/copilot-vulnerability-lets-attackers-bypass-audit-logs/

https://pistachioapp.com/blog/copilot-broke-your-audit-log

← Back to all bulletins