Reconnaissance
Suspicious Copilot for M365 Access
Detection overview
The "M365 Suspicious Copilot for M365 Access" detection identifies when a session using the Copilot for M365 feature originates from an atypical location for the user or environment. This detection helps identify potential misuse of M365 Copilot for reconnaissance or data extraction within an organization's Microsoft 365 ecosystem.
Triggers
- A Copilot for M365 session was initiated by a user originating from a location that is unusual for the user and/or environment within the context of this functionality.
Possible Root Causes
- An attacker may be using the Copilot for M365 functionality to simplify their ability to discover knowledge documented within your environment that can help them enable their next steps within your environment (i.e. IT policies and procedures, documented static passwords/accounts, etc.).
- An attacker may be using the Copilot for M365 functionality to simplify the discovery and extraction of sensitive information from e-mails stored within the M365 environment.
- A legitimate user has accessed this functionality from a location that is not typical for your environment, but is using the functionality for benign/approved use cases.
Business Impact
- An attacker utilizing Copilot for M365 can simplify the process of mining important knowledge about your organization and hide files that were accessed to support gaining that knowledge. This is because Copilot for M365 does not always log the files accessed to provide a response.
Steps to Verify
- This detection is most interesting when it is accompanied by other detections indicating this account may be compromised.
- Review whether the unusual location aligns with what is expected for this user.
- Consult the available logs to determine if the activity prior to the registration is as expected.
- If warranted, reach out to the account owner to confirm they accessed this functionality in this way.
Suspicious Copilot for M365 Access
Possible root causes
Malicious Detection
Attackers who have compromised an account might use M365 Copilot to streamline the discovery of sensitive information within the environment. By leveraging Copilot, attackers can quickly access documented internal knowledge such as IT policies, credentials, and other strategic information, enabling them to plan subsequent attack phases more effectively.
Benign Detection
Legitimate users may access M365 Copilot from an unusual location due to travel or remote work. While the behavior may appear suspicious, it could align with standard business activities, such as remote employees using secure connections from different geographic areas.
Suspicious Copilot for M365 Access
Example scenarios
1. Unauthorized Copilot Use from Abroad
A user’s account logs in from an overseas location and initiates a Copilot session. This could signal an attacker leveraging Copilot for reconnaissance.
2. Legitimate Remote Worker with Access
An employee working remotely uses Copilot from a location unfamiliar to the organization's usual activity logs. Verification confirms legitimate usage.
Suspicious Copilot for M365 Access
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Organizational Knowledge Exposure
Attackers using Copilot can mine critical knowledge, gaining insights that could facilitate further attacks and compromise the organization’s security posture.
Data Extraction Risk
Sensitive documents and emails accessed via Copilot can be exposed without leaving easily traceable logs, presenting a significant data loss risk.
Operational Security Challenge
The potential for undetected reconnaissance using M365 Copilot poses a risk of ongoing knowledge theft, impacting long-term security monitoring and response capabilities.
Suspicious Copilot for M365 Access
Steps to investigate
Review Login and Access Logs
Check access logs for unusual login locations and correlate them with other suspicious activities involving the account.
Confirm User Activity
Reach out to the account owner to verify if the Copilot access was authorized and if it aligns with their current tasks.
Analyze Access Patterns
Examine if the Copilot session was followed by other suspicious actions, such as unusual data downloads or file access.
Cross-Reference with Other Detections
Ensure that this detection is not part of a broader pattern of suspicious activities involving the same account.
Suspicious Copilot for M365 Access
MITRE ATT&CK techniques covered
Suspicious Copilot for M365 Access
Related detections
FAQs
What does this detection signify?
It indicates access to M365 Copilot from an unusual location, potentially by an attacker using stolen credentials.
What should I do if this detection is triggered?
Review the user's access details and reach out for verification. Check related activities for any signs of malicious behavior.
What are common attacker objectives with Copilot misuse?
To gather information that can aid in lateral movement, persistence, or data exfiltration.
Could this relate to travel or remote work?
Yes, remote work or travel could result in unexpected access locations, though these should be verified.
What further steps are recommended?
Monitor the account for subsequent suspicious behavior and consider implementing location-based access restrictions.
Why is this significant?
M365 Copilot can provide comprehensive access to documented information, posing a high risk if misused.
Can this detection be benign?
Yes, if a legitimate user accesses Copilot from an approved but uncommon location.
How does Copilot usage avoid detection?
Copilot's functionality might not always log which files are accessed to generate responses, making it difficult to trace the full scope of its use.
Is data exfiltration possible with this detection?
Yes, attackers can leverage knowledge gained from Copilot to exfiltrate or misuse sensitive data.
Are there related detections that should be monitored?
Unusual eDiscovery searches or suspicious login events can complement this detection in identifying potential account compromise.