Copilot Agent: The Good, the Bad, and the Ugly
Steven Lim
Favikon Top Cybersecurity / IT & Tech LinkedIn Creators | VP | Director | KQLWizard
It's been a while since my last LinkedIn article in August, but after attending some of the online sessions from Microsoft Ignite, I felt inspired to write this article about Copilot Agents. This product was one of the central features showcased by Microsoft, and I've had extensive experience using it over the past nine months as both an end user and a system and cybersecurity admin for my organization.
The Good: Copilot Agents are revolutionizing the way we work, offering unparalleled assistance and efficiency. These AI companions streamline workflows, handle mundane tasks, and provide valuable insights, freeing up our time for more strategic endeavors. They learn and adapt to our preferences, making interactions smoother and more personalized.
For example, I bought the book "The Definitive Guide to KQL" from Microsoft Press and built a Copilot Agent for it. This agent references KQL programming information and helps me generate optimized KQL statements for my threat hunting and detection queries.
The Bad: In the realm of cybersecurity, Copilot Agents introduce significant compliance and control challenges. Microsoft designed these agents so that Tenant Admins have no control over who can create them. This lack of oversight can lead to security gaps, as unauthorized individuals might create Copilot Agents without proper security protocols, potentially exposing sensitive information and increasing the risk of cyber-attacks. All relevant information can be found in Message Center MC908119.
To address this shortfall, I’ve developed a custom KQL detection in DefenderXDR. This detection identifies any newly installed, non-whitelisted Copilot extensions and alerts the M365 Admin for review. The M365 Admin can then block these extensions in the Integrated Apps section of the admin portal, reclaiming some control.
// Added your whitelisted extensions or plugins to WLExtensions
let WLExtensions = dynamic(["BingWebSearch"]);
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| where not (CopilotPlugin has_any (WLExtensions))
| project Timestamp, AccountObjectId, UserID, CopilotPlugin, ReportId
The Ugly: Consider a scenario where a user account is compromised, and a threat actor uses this account to create a Copilot Agent on a highly sensitive SharePoint site that the compromised user has access to. The threat actor could then exfiltrate data by accessing the private link created by the Copilot Agent, slowly extracting information as needed by providing the relevant prompts. This scenario highlights the significant risks associated with insufficient access controls and the potential for misuse of Copilot Agents in critical environments.
领英推荐
To address such threats, I have additionally deployed Sentinel Solution for Microsoft Power Platform and I have created a KQL detection using Sentinel Behavior Analytics and Power Platform solutions to monitor any potential malicious Copilot Agent creation.
let HighRiskUsers =
BehaviorAnalytics
| where InvestigationPriority > 0
| where UsersInsights.BlastRadius == "High"
| where ActivityType == "LogOn"
| where ActionType == "ResourceAccess"
| distinct UserPrincipalName;
PowerPlatformAdminActivity
| where EventOriginalType in ("BotCreate", "BotComponentCreate", "BotUpdateOperation-BotPublish")
| where ActorName has_any(HighRiskUsers)
Conclusion: Copilot Agents offer a powerful tool for enhancing productivity and efficiency, but they also bring new challenges and risks, especially in the realm of cybersecurity. By recognizing both the benefits and the potential pitfalls, we can better leverage these tools while ensuring robust security measures are in place. My experiences over the past nine months have shown me both the incredible potential and the critical vulnerabilities of Copilot Agents, and I hope this article provides valuable insights for those considering their implementation.
Updated 26/11/2024:
Additional controls introduced by Microsoft
Do support this LinkedIn article if you find the information are useful and repost for sharing with the wider Microsoft cyber defender community. ?????????? ?????? ???????? ?????????? ???? ???? ???????????????? ?????????????? to receive all futures post ??????????????. Thanks! ??
HanseVision?r?? Microsoft MVP Copilot & M365, Corporate Influencer, Viva Explorer, Employee Experience, Internat.Speaker, Governance Pro
3 个月Steven Lim I would highly appreciate if you could share few steps to create these malicious agents, would like to trigger your KQL script
Senior M365 ACE Engineer | Advanced Cloud Engineering
3 个月Regarding your statement: "The Ugly: Consider a scenario where a user account is compromised, and a threat actor uses this account to create a Copilot Agent on a highly sensitive SharePoint site that the compromised user has access to." I wonder how this differs from a threat actor using the compromised user's account to gather information directly through Copilot prompts. Isn't the real risk the compromise of user credentials rather than the Copilot Agent itself? It doesn't seem like a Copilot Agent-specific risk as portrayed.
Tencent - Sr Cloud Consultant | Reshaping IT operations with AI and automation.
4 个月Question: Are any automated actions triggered when a high-risk user creates an agent using Copilot Studio?
Tencent - Sr Cloud Consultant | Reshaping IT operations with AI and automation.
4 个月Insightful! Thanks Steven
Favikon Top Cybersecurity / IT & Tech LinkedIn Creators | VP | Director | KQLWizard
4 个月Purav D. Bro, this article covers all aspects of Copilot Agent. Hope you find it useful.??