Microsoft 365 Copilot Studio agent access control policy set to open

microsoft-365

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an M365 Copilot Studio bot’s access control settings are modified to Any. This change would indicate any user within the tenant could access the bot application.

Strategy

Monitor Microsoft 365 audit logs for when the @Operation field populates an BotUpdateOperation-BotShare event within the PowerPlatform service. Filter by values within the property collection fields where the Access Control Policy has a new value of Any.

Triage and response

  1. Identify what bot application had their access control policy modified.
  2. Determine if the user {{@usr.id}} is the bot owner or is expected to modify the bot application.
  3. Review audit logs for the Copilot Studio bot for evidence of interactions after the access control policy was modified.
  4. If the setting change was unintended or unauthorized interactions occurred, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.