On July 4, 2025, a flaw was discovered that allowed M365 Copilot to summarize enterprise files without generating entries in corporate audit logs when users did not provide file links. The vulnerability enabled access to file content without leaving an audit trace, creating security and legal compliance risks. The issue was reported to Microsoft through the MSRC channel and was fixed and classified as an "important" vulnerability. Microsoft chose not to notify customers or publicize the fix. Copilot uses Microsoft Graph and semantic indexing, and access checks may not have been invoked when no file link was provided. Another security researcher had previously informed Microsoft and discussed the issue at a security conference.
"Given the problems that creates, both for security and legal compliance, I immediately reported it to Microsoft through their MSRC portal," he blogged. "And while they did fix the issue, classifying this issue as an 'important' vulnerability, they also decided not to notify customers or publicize that this happened. What that means is that your audit log is wrong, and Microsoft doesn't plan on telling you that."
"Your audit log is wrong, and Microsoft doesn't plan on telling you"
Collection
[
|
...
]