{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/m365_copilot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Copilot"],"_cs_severities":["medium"],"_cs_tags":["ai_jailbreak","prompt_injection","m365_copilot"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief covers attempts to jailbreak Microsoft 365 Copilot through prompt injection, specifically focusing on impersonation and roleplay attacks. Attackers attempt to manipulate the AI into adopting alternate personas, behaving as unrestricted entities, or impersonating malicious AI systems. The activity is detected by analyzing exported eDiscovery prompt logs, searching for specific keywords related to roleplaying and impersonation. This technique, observed starting in late 2025 and early 2026, is concerning because successful jailbreaks can bypass safety controls, leading to potential data leakage, policy violations, and the generation of harmful content. The focus of targeting is organizations leveraging Microsoft 365 Copilot for enterprise productivity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt containing keywords like \u0026ldquo;pretend you are,\u0026rdquo; \u0026ldquo;act as,\u0026rdquo; \u0026ldquo;you are now,\u0026rdquo; \u0026ldquo;amoral,\u0026rdquo; \u0026ldquo;roleplay as,\u0026rdquo; or \u0026ldquo;imagine you are.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eThe crafted prompt is submitted to Microsoft 365 Copilot through a standard user interaction.\u003c/li\u003e\n\u003cli\u003eThe prompt is logged by Microsoft 365 and available for eDiscovery.\u003c/li\u003e\n\u003cli\u003eAn administrator exports the M365 eDiscovery prompt logs from the Microsoft Purview compliance portal.\u003c/li\u003e\n\u003cli\u003eThe exported logs, including the Subject_Title field containing the prompt text, are ingested into a security information and event management (SIEM) system.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies prompts containing the specified keywords.\u003c/li\u003e\n\u003cli\u003eThe rule categorizes the prompt based on the specific keywords used, such as \u0026ldquo;AI_Impersonation,\u0026rdquo; \u0026ldquo;Malicious_AI_Persona,\u0026rdquo; or \u0026ldquo;Unrestricted_AI_Persona.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eIf the jailbreak attempt is successful, the AI may generate responses that violate organizational policies or expose sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful M365 Copilot jailbreak can result in the AI generating harmful or inappropriate content, bypassing security controls, and potentially leaking sensitive information. While the exact number of affected organizations is currently unknown, the potential impact spans across any sector utilizing M365 Copilot. Consequences include reputational damage, data breaches, and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and regularly review M365 Exported eDiscovery Prompts logs for suspicious activity as this log source is critical for detecting jailbreak attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect M365 Copilot impersonation and roleplay jailbreak attempts.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rule using the \u003ccode\u003em365_copilot_impersonation_jailbreak_attack_filter\u003c/code\u003e macro to reduce false positives based on your organization\u0026rsquo;s specific usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003eimpersonation_type\u003c/code\u003e fields to understand the nature and source of the attempted jailbreak.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T17:30:00Z","date_published":"2024-01-09T17:30:00Z","id":"/briefs/2024-01-09-m365-copilot-jailbreak/","summary":"This detection identifies attempts to jailbreak M365 Copilot by impersonating roles, adopting unrestricted personas, or mimicking malicious AI systems to bypass safety controls, searching exported eDiscovery prompt logs for roleplay keywords and categorizing prompts into impersonation types to detect persona injection attacks.","title":"M365 Copilot Impersonation Jailbreak Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-09-m365-copilot-jailbreak/"}],"language":"en","title":"CraftedSignal Threat Feed — M365_copilot","version":"https://jsonfeed.org/version/1.1"}