Microsoft 365 Copilot interaction flagged as indirect attack
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when an M365 Copilot Studio bot experiences an indirect attack as defined by Microsoft’s content safety checks.
The Microsoft generated alert attempts identify if an actor embeds instructions to the agent for the purpose of maliciously gaining access to unauthorized data or control of the system.
Strategy
Monitor Microsoft 365 audit logs for when the @CopilotEventData.AccessedResources.Type includes an IndirectAttack flag within the Copilot service logs.
Triage and response
- Identify what user,
{{@usr.id}}, and action triggered the Microsoft content safety alert. The @CopilotEventData.AccessedResources.Name includes the user action which generated the IndirectAttack alert. - Determine if the user
{{@usr.id}} and the action taken represents malicious behavior for your organization’s bot. - If the interaction prompted the bot for unauthorized access or attempted to manipulate the bot, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.
