How Attackers Are Bypassing SharePoint Security Using Copilot AI
A significant vulnerability lies in Copilot’s ability to bypass SharePoint’s “Restricted View” privilege, which limits users to viewing documents in a browser without downloading them.
Attackers are increasingly exploiting Microsoft’s Copilot AI for SharePoint to bypass security controls and access sensitive data, such as passwords, API keys, and confidential documents.
By leveraging the AI’s capabilities and exploiting weaknesses in SharePoint’s configuration, malicious actors can extract valuable information with alarming ease.
Copilot’s default and custom agents, designed to assist users by querying site data, are prime targets.
Default agents, automatically enabled with Microsoft 365 Copilot licenses, allow attackers to enumerate site content, searching for sensitive files like outdated penetration test reports or credential lists. Custom agents, tailored to access multiple sites, amplify the risk when misconfigured, enabling attackers to pull data from broader scopes.
A significant vulnerability lies in Copilot’s ability to bypass SharePoint’s “Restricted View” privilege, which limits users to viewing documents in a browser without downloading them. Attackers have discovered that Copilot can extract and display restricted file contents directly in its chat interface, allowing sensitive data, such as passwords in a file named “passwords.txt,” to be copied freely.
This bypass occurs because Copilot’s output isn’t subject to download restrictions, rendering traditional access controls ineffective. Additionally, attackers use deceptive prompts, posing as legitimate users, to trick Copilot into scanning and revealing sensitive information. For example, a prompt claiming to be from the security team can convince the AI to list files containing passwords or API keys.
The stealthy nature of these attacks compounds their threat. Copilot queries often evade SharePoint’s standard access logs, making malicious activity difficult to detect. Coupled with common issues like oversharing or lax permissions, attackers can exploit “public” sites or permission drift to access sensitive data discreetly.
A critical zero-click vulnerability, dubbed “EchoLeak,” further escalates the risk. By embedding malicious prompts in emails, attackers can trigger Copilot to retrieve and exfiltrate data from SharePoint without user interaction, bypassing Microsoft’s defenses through trusted domains.
These attacks succeed due to poor data hygiene, over-permissioning, and limited organizational awareness of AI-driven risks. To mitigate, organizations should enforce strict permissions, monitor Copilot activity, and disable agents on sensitive sites.
Removing sensitive data, applying encryption, and adopting zero-trust principles are crucial steps. While Microsoft has patched some flaws, ongoing vigilance and robust configuration are essential to counter these evolving threats, as Copilot’s deep integration with Microsoft 365 continues to introduce new vulnerabilities.
