Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Microsoft 365 Copilot audit logging vulnerability

Published on: September 21, 2025

Share:
Microsoft 365 Copilot audit logging vulnerability

Overview:

A vulnerability in Microsoft 365 Copilot (M365 Copilot) allowed users to access and summarize sensitive files without generating corresponding audit log entries—creating a significant blind spot for security monitoring. Microsoft quietly patched the issue on August 17, 2025, but classified it as “Important” and did not issue a CVE or formally notify customers.

 

Vulnerability Details:

  • The vulnerability involves prompt manipulation in Microsoft Copilot.
  • Specifically, instructing Copilot to exclude reference links in file summaries prevented the associated user actions from being logged.
  • As a result, these actions bypassed audit logging mechanisms entirely, leaving no trace in Unified Audit Logs (UAL) or Microsoft Purview.
  • This behavior represents a serious logging oversight in environments that depend on Copilot-generated audit trails.

Note: As of this advisory, Microsoft has not assigned a CVE ID to this issue.

 

How It Affects:

  • Copilot prompts that exclude reference links bypass audit logging, preventing security and IT teams from tracking which files were accessed and by whom.
  • This creates blind spots in visibility and monitoring, making it difficult to detect or investigate user activity involving sensitive data.
  • Insider threats or malicious users could use this technique to summarize or extract sensitive information without leaving any trace in the logs.
  • Data Loss Prevention (DLP) systems relying on audit logs may fail to detect such unauthorized access or misuse.
  • The absence of audit records violates key compliance requirements (e.g., GDPR, HIPAA, SOX), increasing the risk of non-compliance and potential legal exposure.

 

Who It Affects:

  • All Microsoft 365 Copilot users across tenants prior to August 18, 2025.
  • Particularly impacts organizations in:
    • Financial services
    • Healthcare
    • Government and defense
    • Other regulated sectors that require strict audit and logging standards.
    •  

Impact:

  • Security: Increased risk of data exfiltration or misuse going unnoticed.
  • Compliance: Potential violation of audit and retention mandates (e.g., HIPAA, SOX, GDPR).
  • Operational: Decreased trust in audit logs and limitations in threat detection and response.
  •  

Targeted Products:

The vulnerability affects Microsoft 365 Copilot integrations across:

  • Web, desktop, and mobile platforms
  • Microsoft Office Suite, including:
    • Word
    • Excel
    • PowerPoint
    • Teams
    • Other apps with Copilot integration
    •  

Recommendations:

1. Confirm Patch Status

  • Ensure the August 17, 2025 silent patch has been applied across all tenant environments.

2.Restrict Risky Prompt Usage

  • Temporarily limit prompts that bypass logging (e.g., those removing reference links). Use Microsoft 365 controls or policies to enforce safe Copilot usage, especially around sensitive data.

3.Apply DLP & Sensitivity Controls

  • Review and apply Data Loss Prevention (DLP) and Sensitivity Labels to restrict Copilot’s access to confidential or regulated content.

4. Train Users

  • Educate staff on responsible Copilot usage and discourage attempts to manipulate prompts.
  • Reinforce secure prompt engineering practices, especially for privileged users.

5. Engage Microsoft Support

  • Inquire about any retrospective fixes or additional monitoring capabilities.

 

References:

https://cybersecuritynews.com/copilot-vulnerability-breaks-audit-logs/

https://gbhackers.com/copilot-vulnerability-lets-attackers-bypass-audit-logs/

https://pistachioapp.com/blog/copilot-broke-your-audit-log

← Back to all bulletins