Microsoft Copilot 365 Security: Risks and Controls for Business 2026

Microsoft Copilot 365 has been the largest introduction of generative AI in corporate environments in recent years. Unlike a standalone chat, it lives inside the productive fabric of the organization: it indexes SharePoint, OneDrive, Teams, Outlook and Exchange, and generates answers via a RAG pattern (Retrieval Augmented Generation) that combines the Microsoft Graph with a large language model. The attack surface and the leakage risk grow in exactly the same proportion.

This article walks through how Copilot 365 works under the hood, why data oversharing has become its Achilles heel, what the EchoLeak vulnerability meant, which controls Microsoft offers natively, and which deployment plan minimizes risk without slowing the business. Spoiler: Copilot 365 should not be deployed without a preparatory phase of SharePoint governance and labelling policies.

Key takeaways

• Copilot 365 respects Microsoft 365 permissions, but it dramatically amplifies the historical oversharing in SharePoint and Teams by making content that used to be buried easily discoverable through natural language.
• The indirect prompt injection vector via emails and SharePoint documents is real and documented. The EchoLeak vulnerability, reported by Aim Security in 2025 and mitigated by Microsoft, set the pattern.
• Microsoft Purview provides the core controls: DLP, Sensitivity Labels, Restricted SharePoint Search, audit logs and DSPM for AI. None of them turn themselves on.
• A prudent deployment requires a 60 to 90 day SharePoint hygiene phase before licensing the workforce.
• The regulatory fit is clear: GDPR, NIS2 article 21, ISO 27001 A.5.23 and, when Copilot intervenes in automated decisions, the AI Act.

How Copilot 365 works technically

Copilot 365 rests on three components. Each one introduces its own risk.

The first is Microsoft Graph: the tenant graph of objects and relationships (users, files, emails, Teams messages, SharePoint sites). Copilot asks the Graph what content the user issuing the query can see. That is the foundation of the permission model.

The second is the Semantic Index, a vector index that maps the tenant's content into a semantic representation. Without it, Copilot could only do keyword search. With it, Copilot can answer natural language questions across documents, mail threads and conversations, respecting each user's permissions.

The third is the language model, historically based on grounded variants of GPT-4 turbo deployed inside the Azure OpenAI service boundary dedicated to Microsoft 365. The user query, the context retrieved by Graph and Semantic Index, and the system instructions travel to the model, which returns a synthesized response with citations back to source documents.

Microsoft's formal promise is that Copilot respects the M365 permission model. That is true. The problem is not that it shows users what they should not see. It is that it shows, in a perfectly searchable form and in a single query, everything users technically can see but would normally never have stumbled upon.

Primary risk: data oversharing

Data oversharing is, by some distance, the number one risk of Copilot 365 and the root cause of most real incidents.

SharePoint and Teams have been accumulating permission debt for more than a decade. The Anyone in the organization sharing link is used by default across thousands of tenants. Libraries created for a one off project remain open to the whole company. Teams sites inherit broad permissions when guests are added. Before Copilot, all that material existed but was buried under navigation layers nobody traversed, and native search acted as a de facto control.

With Copilot that friction disappears. An employee can ask in natural language about the latest salary review, the acquisition plan, the clauses of the next contract with a key customer or the valuation of a business unit before its sale. If somewhere in the tenant there is a document the user has technical access to, Copilot will find it, summarize it and cite the source.

The user is not attacking anything. They are using the tool exactly as designed. The security control failed long before, when someone marked as Anyone in organization a library that should have been private. Copilot 365 acts as a ruthless revealer of every poorly maintained permission decision in a tenant. Public reports describe employees inadvertently accessing salaries, performance reviews, layoff plans or M&A information within the first week of usage. None involved a technical breach. All involved a prior governance failure.

EchoLeak and prompt injection in Copilot

The second major vector is indirect prompt injection. An attacker plants malicious instructions in a source that Copilot will read as part of its context, for example the body of an email, a SharePoint document or a Teams message. When the user later queries Copilot, the model processes those instructions as if they were part of the legitimate query.

The EchoLeak vulnerability, reported in 2025 by Aim Security and mitigated by Microsoft through service updates, illustrated the pattern in its cleanest form. An external actor sent a crafted email to the victim's mailbox. When the victim later interacted with Copilot, the assistant read the email as part of its context and executed the embedded instructions, which led to exfiltration of sensitive tenant information toward an attacker controlled endpoint.

Microsoft patched the specific bug, but the pattern generalizes to any assistant that combines context retrieval, tool execution and response delivery. The surface grows with every new integration: when Copilot reads not only emails and documents but also web pages, meeting transcripts and third party data via Graph Connectors, each source becomes a potential injection channel. The lesson is not that Copilot is insecure, but that every corporate RAG assistant needs specific controls against indirect prompt injection and logs that allow reconstruction of which context was injected into which response.

Copilot 365 specific risks

Beyond oversharing and injection, it is worth having an explicit map of Copilot 365 differential risks.

• Data oversharing via Semantic Index: as described. The leading risk in both probability and impact.
• Indirect prompt injection: emails, SharePoint documents, Teams messages or any external indexed source can contain malicious instructions that the model treats as legitimate.
• Output data exfiltration: Copilot itself can be induced to spill confidential information retrieved from the tenant into a response the user later copies, shares or forwards without noticing its sensitivity.
• Hallucinations in critical decisions: the model can invent regulatory references, contractual clauses or financial figures with the appearance of an authoritative source. An employee who trusts without verifying introduces an error into a real process.
• Auditability gaps: Purview logs cover more and more Copilot related events, but they do not always allow reconstruction of which exact fragment of which document was delivered to the model in a given response. For a forensic investigation that may not be enough.
• Multi-tenant exposure in Copilot for Service partners: in setups where a service partner integrates Copilot across data from multiple customers, poor tenant segmentation opens the risk of information crossover between accounts.
• Third party Graph Connectors: extensions that index external sources (Jira, Confluence, ServiceNow, code repositories) inherit their own permission issues and become additional surface for injection and leakage.

Pre deployment preparation

The most important rule: Copilot 365 is not deployed without a preparatory governance phase. Activating licenses in a tenant with poorly maintained SharePoint is the recipe for the loudest breaches that have reached the press.

The preparatory phase has three blocks. The first is SharePoint hygiene: identify libraries and sites with overly broad permissions (especially Anyone in the organization), review broken inheritances, remove stale anonymous access links, archive obsolete content and consolidate orphan sites. Microsoft offers SharePoint Advanced Management as a paid add on with specific tooling for this cleanup, including Restricted Search during the transition.

The second block is sensitivity labelling: deploy Purview Sensitivity Labels across the tenant, apply them by default to sites, containers and files, configure inheritance so that content generated or attached by Copilot retains the source label, and define what qualifies as confidential, highly confidential or restricted.

The third block is retention policies. Without coherent retention, the tenant accumulates stale material that Copilot may surface in responses. A medium sized organization typically needs between 60 and 90 days for this phase. Shortcutting it is where haste costs the most.

Microsoft native technical controls

Once the foundation is in order, Microsoft offers a set of native controls that should be activated and operated in a coordinated way.

• Purview DLP for Copilot: policies that block or warn when the model attempts to process or return content labelled as sensitive. It includes specific rules to prevent highly confidential data from appearing in responses that a user can copy outside the controlled environment.
• Sensitivity Labels with label inheritance: the source label propagates to content generated by Copilot. If Copilot summarizes a document labelled Confidential, the summary inherits the marking and the associated controls (encryption, watermarking, copy restrictions).
• Restricted SharePoint Search: limits the scope of the index during a transition window. Copilot can only index and return content from an allow listed set of sites while general hygiene is completed. It is a very useful temporary safety net for pilots.
• Copilot aware Conditional Access: Entra ID policies that gate access to Copilot by location, managed device, session risk or endpoint compliance. A user on an unmanaged device may see the chat blocked or have export actions restricted.
• Purview audit logs: enabling and centralizing audit for Copilot related events. This allows responding to questions like which user accessed which document through Copilot, which labels were applied and whether interactions hit DLP policies.
• DSPM for AI: Data Security Posture Management for AI, within Purview, provides a dedicated view of AI risk in the tenant. It surfaces potentially sensitive prompts and responses, identifies users with anomalous behaviour and helps prioritize policies. It is the dashboard a CISO should open every week.

Activating these controls is not optional for a serious deployment. Each one covers a different angle and complements the rest.

Step by step deployment plan

A reasonable Copilot 365 deployment plan unfolds across five phases.

Phase 1. SharePoint governance and cleanup, 60 to 90 days. Inventory of sites, identification of oversharing, review campaigns with each site's owner, removal of unnecessary broad access, archiving of obsolete content, deployment of SharePoint Advanced Management if applicable. Without this, you do not move to the next phase.

Phase 2. Sensitivity Labels and DLP. Definition of the label taxonomy, progressive deployment in libraries and containers, configuration of auto labelling for the most critical information types (personal data, financial data, intellectual property), publication of Copilot specific DLP policies, configuration of label inheritance into content generated by the model.

Phase 3. Controlled pilot. Activation of Copilot for a limited group, ideally between 30 and 80 users, with varied profiles across departments and seniority. Restricted SharePoint Search enabled. Intensive monitoring through DSPM for AI and audit logs. Gathering of real use cases, incidents, DLP false positives and training needs. Recommended duration: four to eight weeks.

Phase 4. Phased rollout with communications. Tiered activation by department. Every wave is accompanied by specific training for the team, an acceptable use guide, warnings about verifying responses and clear channels to report incidents. DLP policies tuned after the pilot are maintained.

Phase 5. Continuous monitoring and governance review. Quarterly review of the oversharing posture, adjustment of policies, review of logs and DSPM metrics, lifecycle management of Graph Connectors and annual review of the framework with the security committee and executive leadership.

Skipping any phase, especially the first one, is a shortcut that gets paid for later. Organizations that have deployed Copilot without this sequence have had to stop the rollout and walk back. That costs much more, in money and internal reputation, than doing it right from the start.

Regulatory fit

Copilot 365 touches several regulations in force in the European Union.

The GDPR applies from day one. If content indexed by Copilot includes personal data, which happens in practically any corporate tenant, the records of processing activities must be updated, the need for a data protection impact assessment must be evaluated and the processor contract with Microsoft must be reviewed. When article 9 special category data (health, religion, union membership) enters the picture, the diligence required goes up: this data should not be accessible to Copilot without specific controls.

NIS2 requires under its article 21 cybersecurity risk management measures. Subpoint g explicitly mentions basic cyber hygiene practices. Deploying Copilot without governing SharePoint or labelling sensitive content is, defensibly, a lack of cyber hygiene. Essential and important entities must be able to show that they evaluated the risk and activated proportionate controls.

ISO 27001 covers the scenario in control A.5.23, dedicated to security in the use of cloud services. An auditor will request the risk assessment of the Copilot service, the list of applied controls, the monitoring records and the acceptable use policy.

The European AI Act comes into play when Copilot intervenes in decisions that can be classified as high risk under Annex III: human resources, credit scoring, access to essential services. In those contexts, the organization becomes a deployer of an AI system and takes on specific obligations of human oversight, logging and impact assessment.

The good news is that a serious Copilot governance program covers the four regulatory fits at once. The bad news is that improvising covers none of them.

Frequently asked questions

Does Copilot 365 see my personal data as a tenant administrator?

Microsoft does not access tenant content to train models and does not share it with OpenAI. The service runs inside the Microsoft 365 service boundary and customer data stays inside the tenant. The tenant administrator, on the other hand, can review through audit logs which interactions each user has had with Copilot. That capability is the basis for legitimate monitoring and should be addressed in the internal privacy policy.

Can the model be trained on my organization's data?

Not by default. Copilot 365 uses tenant content solely to answer the user's query at that moment (RAG), not to retrain the base model. Responses are not reused to improve the public OpenAI or Microsoft model. This separation is one of the service's key contractual commitments.

Does GDPR apply if Copilot is only used internally?

Yes. GDPR applies to any processing of personal data regardless of channel. If Copilot accesses emails, calendars or documents containing personal data of employees, customers or third parties, processing happens. And therefore the obligations of information, lawful basis, processor contract and data subject rights apply.

Is a pre deployment audit mandatory?

Strictly mandatory, no, but it is recommended practice and an implicit requirement of NIS2, ISO 27001 and any serious risk management framework. A deployment without a prior audit of oversharing and without labelling policies is, in practice, an incident waiting to happen.

What is the real cost of the license?

The official license is priced around 30 US dollars per user per month on annual plans, subject to variation by geography and volume. To that you must add SharePoint Advanced Management if needed and, above all, the internal cost of the governance project: hours from architects, administrators, information owners and training, which in medium sized organizations can match or exceed the license cost in the first year.

What alternatives are there if we block Copilot?

Blocking Copilot 365 without an alternative is not realistic when employees are already using ChatGPT, Gemini or Claude on their own. Reasonable alternatives include corporate platforms based on Azure OpenAI or Amazon Bedrock with data confined inside the environment, custom built specialized assistants, or waiting for a more mature deployment after completing governance. The worst option is to ban without a substitute, because it fuels shadow AI.

Related resources

• ChatGPT Security in Business: Risks, Controls and Policies 2026
• OWASP LLM Top 10 Explained: GenAI vulnerabilities
• What is prompt injection: LLM attacks
• What is DLP: data loss prevention
• AI agents security: autonomous risks
• NIS2 audit step by step

Audit your Copilot 365 deployment with Secra

At Secra we support organizations planning or already running a Microsoft Copilot 365 deployment with a dedicated pre deployment readiness assessment and post deployment hardening service. The engagement covers four coordinated fronts: an assessment of oversharing in SharePoint, OneDrive and Teams; a review of Sensitivity Labels status and Copilot oriented DLP policies; an evaluation of the Conditional Access model, audit logs and DSPM for AI configuration; and the design of the phased deployment plan aligned with the GDPR, NIS2 and ISO 27001 frameworks.

The goal: that Copilot 365 delivers value to the business without becoming the channel of the next breach. Contact our team at Secra.