Microsoft 365 Copilot Studio agent sign-in topic modified
Goal
Detect when the M365 Copilot Studio agent’s system “Sign in” topic is modified. When a customer begins a conversation with the agent, the “Sign in” topic triggers and prompts the user to sign in. Modification of system sign in topics may indicate an attacker adding actions to manipulate the agent’s login process, which may include compromising the User.AccessToken variable. The User.AccessToken variable contains the user’s token, which is obtained after the user is signed in.
Strategy
Monitor Microsoft 365 audit logs for when the @Operation field successfully triggers an BotComponentUpdate event within the PowerPlatform service. Filter by values within the property collection fields where the Signin topic is referenced.
Triage and response
- Identify the user who took the action,
{{@usr.id}}, the bot application within the value for powerplatform.analytics.resource.bot.id and the sign in state new value. - Determine if the sign in topic is moved to
Inactive or Active state. - Investigate if the user
{{@usr.id}} is the bot owner or is expected to modify the bot application’s login process. - If the setting change was unintended or unauthorized interactions occurred, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.
