{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/m365-copilot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Copilot"],"_cs_severities":["medium"],"_cs_tags":["ai_jailbreak","prompt_injection","m365_copilot"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief covers attempts to jailbreak Microsoft 365 Copilot through prompt injection, specifically focusing on impersonation and roleplay attacks. Attackers attempt to manipulate the AI into adopting alternate personas, behaving as unrestricted entities, or impersonating malicious AI systems. The activity is detected by analyzing exported eDiscovery prompt logs, searching for specific keywords related to roleplaying and impersonation. This technique, observed starting in late 2025 and early 2026, is concerning because successful jailbreaks can bypass safety controls, leading to potential data leakage, policy violations, and the generation of harmful content. The focus of targeting is organizations leveraging Microsoft 365 Copilot for enterprise productivity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt containing keywords like \u0026ldquo;pretend you are,\u0026rdquo; \u0026ldquo;act as,\u0026rdquo; \u0026ldquo;you are now,\u0026rdquo; \u0026ldquo;amoral,\u0026rdquo; \u0026ldquo;roleplay as,\u0026rdquo; or \u0026ldquo;imagine you are.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe crafted prompt is submitted to Microsoft 365 Copilot through a standard user interaction.\u003c/li\u003e\n\u003cli\u003eThe prompt is logged by Microsoft 365 and available for eDiscovery.\u003c/li\u003e\n\u003cli\u003eAn administrator exports the M365 eDiscovery prompt logs from the Microsoft Purview compliance portal.\u003c/li\u003e\n\u003cli\u003eThe exported logs, including the Subject_Title field containing the prompt text, are ingested into a security information and event management (SIEM) system.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies prompts containing the specified keywords.\u003c/li\u003e\n\u003cli\u003eThe rule categorizes the prompt based on the specific keywords used, such as \u0026ldquo;AI_Impersonation,\u0026rdquo; \u0026ldquo;Malicious_AI_Persona,\u0026rdquo; or \u0026ldquo;Unrestricted_AI_Persona.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eIf the jailbreak attempt is successful, the AI may generate responses that violate organizational policies or expose sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful M365 Copilot jailbreak can result in the AI generating harmful or inappropriate content, bypassing security controls, and potentially leaking sensitive information. While the exact number of affected organizations is currently unknown, the potential impact spans across any sector utilizing M365 Copilot. Consequences include reputational damage, data breaches, and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and regularly review M365 Exported eDiscovery Prompts logs for suspicious activity as this log source is critical for detecting jailbreak attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect M365 Copilot impersonation and roleplay jailbreak attempts.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rule using the \u003ccode\u003em365_copilot_impersonation_jailbreak_attack_filter\u003c/code\u003e macro to reduce false positives based on your organization\u0026rsquo;s specific usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003eimpersonation_type\u003c/code\u003e fields to understand the nature and source of the attempted jailbreak.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T17:30:00Z","date_published":"2024-01-09T17:30:00Z","id":"/briefs/2024-01-09-m365-copilot-jailbreak/","summary":"This detection identifies attempts to jailbreak M365 Copilot by impersonating roles, adopting unrestricted personas, or mimicking malicious AI systems to bypass safety controls, searching exported eDiscovery prompt logs for roleplay keywords and categorizing prompts into impersonation types to detect persona injection attacks.","title":"M365 Copilot Impersonation Jailbreak Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-09-m365-copilot-jailbreak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Copilot"],"_cs_severities":["high"],"_cs_tags":["prompt-injection","ai-jailbreak","m365","copilot"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft 365 Copilot is susceptible to jailbreak attempts via prompt injection, where users craft specific prompts designed to bypass or override safety controls. These attacks involve injecting malicious instructions into user prompts to manipulate the AI\u0026rsquo;s behavior, potentially leading to the disclosure of sensitive information, the generation of harmful content, or the execution of unauthorized actions. The attacks leverage techniques like rule manipulation, system bypass commands, and AI impersonation requests, attempting to circumvent built-in safety mechanisms. Successful jailbreaks can compromise the integrity and security of Copilot, enabling threat actors to exploit the AI for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing specific keywords and phrases designed to manipulate Copilot\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the prompt into M365 Copilot through a standard user interface, like a chat window.\u003c/li\u003e\n\u003cli\u003eCopilot processes the prompt, attempting to interpret the user\u0026rsquo;s intent.\u003c/li\u003e\n\u003cli\u003eIf the prompt is successfully injected, Copilot\u0026rsquo;s safety controls are bypassed or overridden due to prompt injection techniques.\u003c/li\u003e\n\u003cli\u003eCopilot generates a response based on the manipulated instructions in the prompt, potentially providing unauthorized access to information or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or uses Copilot to perform actions outside its intended scope.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Copilot to create and disseminate malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful jailbreak attempts can lead to the disclosure of sensitive company data, generation of harmful or inappropriate content, and circumvention of organizational security policies. A single successful jailbreak can affect multiple users if the generated content is shared. If successful, internal copilots could be used to create phishing messages or generate code that gives the attacker a reverse shell on a machine. The risk is increased due to the widespread adoption of M365 Copilot across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable M365 Exported eDiscovery Prompts logging to capture user interactions with Copilot, as this log source is crucial for detecting jailbreak attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to identify potential jailbreak attempts based on suspicious keywords and patterns in user prompts.\u003c/li\u003e\n\u003cli\u003eImplement filtering mechanisms based on the \u003ccode\u003em365_copilot_jailbreak_attempts_filter\u003c/code\u003e macro to reduce false positives and focus on high-risk activities.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eSubject_Title\u003c/code\u003e field in the M365 eDiscovery prompt logs for the presence of jailbreak keywords and phrases such as \u0026ldquo;act as,\u0026rdquo; \u0026ldquo;bypass,\u0026rdquo; \u0026ldquo;ignore,\u0026rdquo; \u0026ldquo;override,\u0026rdquo; \u0026ldquo;pretend you are,\u0026rdquo; and \u0026ldquo;rules=\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified jailbreak attempts to prevent further exploitation of M365 Copilot.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-m365-copilot-jailbreak/","summary":"The detection identifies attempts to jailbreak Microsoft 365 Copilot through prompt injection techniques that attempt to circumvent built-in safety controls by manipulating rules, bypassing system commands, or requesting AI impersonation.","title":"Microsoft 365 Copilot Jailbreak Attempts via Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-jailbreak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Copilot"],"_cs_severities":["medium"],"_cs_tags":["microsoft365","copilot","devicecompliance","byod"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances of users accessing Microsoft 365 Copilot from devices that do not meet the organization\u0026rsquo;s compliance standards or are not managed by the IT department. This activity, if unsanctioned, introduces risks like data leakage, malware infections, and policy violations. The detection focuses on identifying access events where the \u003ccode\u003edeviceDetail.isCompliant\u003c/code\u003e or \u003ccode\u003edeviceDetail.isManaged\u003c/code\u003e fields are false within the M365 Copilot Graph API logs. The goal is to proactively flag users accessing corporate resources through unsecured endpoints, enabling security teams to promptly investigate and remediate potential threats or policy breaches linked to shadow IT, unauthorized BYOD practices, or compromised devices lacking adequate security controls. The detection logic is designed to minimize false positives by considering factors like user roles, device types, and network locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser attempts to access M365 Copilot through a web browser or application on a device.\u003c/li\u003e\n\u003cli\u003eAzure AD authenticates the user based on provided credentials.\u003c/li\u003e\n\u003cli\u003eThe device\u0026rsquo;s compliance status and management status are evaluated during the sign-in process.\u003c/li\u003e\n\u003cli\u003eIf the device is flagged as non-compliant (\u003ccode\u003edeviceDetail.isCompliant=false\u003c/code\u003e) or unmanaged (\u003ccode\u003edeviceDetail.isManaged=false\u003c/code\u003e), the sign-in attempt is logged in the M365 Copilot Graph API (AuditLogs.SignIns).\u003c/li\u003e\n\u003cli\u003eThe activity is aggregated and analyzed, noting the user, operating system, browser, IP address, and geographic location.\u003c/li\u003e\n\u003cli\u003eSecurity analysts review flagged events for suspicious patterns.\u003c/li\u003e\n\u003cli\u003eIf unauthorized access is confirmed, the user and/or device are blocked from accessing M365 Copilot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized access to M365 Copilot from non-compliant devices could expose sensitive corporate data to unmanaged or unsecured environments. This increases the risk of data leakage, malware infections, and regulatory compliance violations. If successful, attackers could potentially gain access to sensitive data processed by M365 Copilot, leading to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Splunk Add-on for Microsoft Office 365 and configure it to collect Azure AD Sign-in logs (AuditLogs.SignIns) via the Graph API data input as outlined in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;M365 Copilot Access from Non-Compliant Device\u0026rdquo; to your SIEM and tune for your environment to detect access from non-compliant devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on users with a high number of events or access from multiple geographic locations.\u003c/li\u003e\n\u003cli\u003eImplement and enforce Mobile Device Management (MDM) policies to ensure all devices accessing corporate resources are managed and compliant.\u003c/li\u003e\n\u003cli\u003eEducate employees about the risks of using non-compliant devices and the importance of adhering to corporate security policies.\u003c/li\u003e\n\u003cli\u003eReview and refine device compliance policies based on the observed access patterns and potential false positives as described in \u0026ldquo;known_false_positives.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-m365-copilot-non-compliant-access/","summary":"Detection of M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, potentially indicating shadow IT, BYOD policy violations, or compromised endpoint access.","title":"M365 Copilot Access from Non-Compliant Devices","url":"https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-non-compliant-access/"}],"language":"en","title":"CraftedSignal Threat Feed — M365 Copilot","version":"https://jsonfeed.org/version/1.1"}