Copilot Vulnerability Lets Attackers Bypass Audit Logs and Gain Hidden Access

A critical vulnerability in Microsoft’s M365 Copilot allowed users to access sensitive files without leaving any trace in audit logs, creating significant security and compliance risks for organizations worldwide.

The flaw, discovered in July 2024, remained largely hidden from customers despite being classified as an “important” vulnerability by Microsoft.

Simple Exploit with Serious Consequences

The vulnerability exploited a fundamental flaw in how Copilot handles audit logging. Under normal circumstances, when users ask M365 Copilot to summarize documents, the system records these access events in audit logs—a critical security feature for tracking file access.

However, researchers discovered that simply requesting Copilot to avoid providing file links would cause these audit entries to disappear entirely.

“Just like that, your audit log is wrong. For a malicious insider, avoiding detection is as simple as asking Copilot,” explained the researcher who discovered the flaw.

The vulnerability was so ...