Microsoft 365 Copilot Studio agent access control policy set to open

microsoft-365

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an M365 Copilot Studio bot’s access control settings are modified to Any. This change would indicate any user within the tenant could access the bot application.

Strategy

Monitor Microsoft 365 audit logs for when the @Operation field populates an BotUpdateOperation-BotShare event within the PowerPlatform service. Filter by values within the property collection fields where the Access Control Policy has a new value of Any.

Triage and response

  1. Identify what bot application had their access control policy modified.
  2. Determine if the user {{@usr.id}} is the bot owner or is expected to modify the bot application.
  3. Review audit logs for the Copilot Studio bot for evidence of interactions after the access control policy was modified.
  4. If the setting change was unintended or unauthorized interactions occurred, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.