UPDATED Microsoft has chosen not to tell customers about a recently patched vulnerability in M365 Copilot.
The issue allowed M365 Copilot to access the content of enterprise files without leaving a trace in corporate audit logs.
To do this, a malicious insider just had to ask M365 Copilot to summarize a company file without providing a link to it, explained Zack Korman, CTO of cybersecurity firm Pistachio, in a blog post this week.
Your audit log is wrong, and Microsoft doesn’t plan on telling you
Korman wrote that on July 4th, 2025, he discovered that he could prevent M365 Copilot from logging file summary interactions simply by asking.
“Given the problems that creates, both for security and legal compliance, I immediately reported it to Microsoft through their MSRC portal,” he blogged.
“And while they did fix the issue, classifying this issue as an ‘important’ vulnerability, they also decided not to notify customers or publicize that this happened. What that means is that your audit log is wrong, and Microsoft doesn’t plan on telling you that.”
Microsoft just last year started reporting Cloud Service CVEs when patching is not required. But the company said it would only issue CVEs for vulnerabilities deemed “critical,” a policy Google Cloud also adopted last year. As this flaw was merely “important”, the Windows biz fixed it a few days ago without informing customers.
According to Microsoft, Copilot relies on the Microsoft Graph and semantic indexing when generating file summaries. So it may have been that file access checks were not invoked when no file link was generated and no event was logged because the AI model already had access to the content. We can only speculate, however, since Microsoft has said nothing on the matter.
According to Korman, another person had already informed Microsoft about the vulnerability: Michael Bargury, CTO at Zenity, an AI security biz.
Bargury discussed the issue at the Black Hat security conference in August 2024. He demonstrated how M365 Copilot security controls could be bypassed using a jailbreak technique that involves appending caret characters to the model’s prompt.
But according to Korman, Microsoft didn’t bother with a fix until Korman reported the problem last month. He argues that the issue was so trivial to exploit that Microsoft needs to disclose it.
“It might be okay to move on silently if this was some esoteric exploit, but the reality is that it is so easy that it basically happens by accident,” he said. “If you work at an organization that used Copilot prior to August 18th, there is a very real chance that your audit log is incomplete.”
Security researcher Kevin Beaumont used a Mastodon post to say he’s seen some progress here because until about a year ago, Microsoft didn’t disclose any repairs to customer-facing cloud vulnerabilities.
But he argues that cloud providers should be more transparent.
“My feeling is still there needs to be extreme pressure from major governments that all cloud providers they use disclose all cloud service [vulnerabilities] as CVEs as part of their contracts – e.g. DoD, NHS – or no signing for new services,” he said.
Microsoft did not respond to requests for comment. ®
UPDATED AT 00:30 UTC, AUGUST 21st After publicatiion, a Microsoft spokesperson offered the following statement: “We appreciate the researcher sharing their findings with us so we can address the issue to protect customers.”
That comment did not directly address The Register‘s questions.