Microsoft 365 Copilot Studio agent access control policy set to open

microsoft-365

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when an M365 Copilot Studio bot’s access control settings are modified to Any. This change would indicate any user within the tenant could access the bot application.

Strategy

Monitor Microsoft 365 audit logs for when the @Operation field populates an BotUpdateOperation-BotShare event within the PowerPlatform service. Filter by values within the property collection fields where the Access Control Policy has a new value of Any.

Triage and response

  1. Identify what bot application had their access control policy modified.
  2. Determine if the user {{@usr.id}} is the bot owner or is expected to modify the bot application.
  3. Review audit logs for the Copilot Studio bot for evidence of interactions after the access control policy was modified.
  4. If the setting change was unintended or unauthorized interactions occurred, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.