By Daniel Blank, COO at Hornetsecurity. Hornetsecurity were finalists in the ‘Security Innovation of the Year (Enterprise)’ category at The 2024/25 Cloud Awards.

Copilots are cutting-edge AI-driven assistants.

Microsoft’s Copilot is revolutionizing work by streamlining tasks, boosting efficiency, and transforming collaboration. By integrating with popular Microsoft tools like Word, Excel, and Teams, it offers a seamless experience for generating content, analyzing data, and automating routine workflows.

For businesses that use Microsoft 365 (M365), Copilot stands out as a transformative tool for enhancing productivity. Its deep integration within the Microsoft suite allows it to harness company data effectively, generating relevant and precise results tailored to specific business requirements.

Like any advanced technology, Copilot’s adoption brings security concerns that shouldn’t be ignored. The default permissions in Microsoft 365, when combined with Copilot, can pose risks if not properly configured. These settings are easily accessible and vulnerable to misuse which increases the likelihood of data breaches. To mitigate these risks, businesses must take proactive steps to understand and address potential security gaps. For organisations looking to leverage Copilot effectively, balancing its benefits with robust safeguards is essential to ensure its rewards outweigh the dangers.

The Power and the Perils of Default Permissions

Copilot’s seamless integration across M365 is a productivity game-changer, tapping into data from SharePoint Online, OneDrive for Business, and other Office apps. It automates time-consuming tasks, such as sourcing emails and workflows to build schedules or compiling data for financial reports—all without the need for manual uploads. This functionality can save hours and boost efficiency, allowing employees to focus on strategic work rather than tedious data gathering.

This though comes with significant security challenges. Copilot’s broad access to organizational data hinges on the level of access a Copilot user has within M365. If left untouched, default permission settings are often more permissive than businesses realise. This problem also applies to long established M365 environments where share permissions have been neglected or mismanaged over time. These settings can allow users—intentionally or not—to access and share sensitive information far beyond their roles. For example, an entry-level employee drafting a presentation might unknowingly include confidential financial details that Copilot pulled from executive-only files, simply because permissions weren’t properly restricted.

The risks escalate when combined with advanced prompt engineering techniques that can manipulate Copilot’s data retrieval capabilities. Without proactive oversight, companies may leave themselves vulnerable to data leaks, unauthorized access, and even social engineering attacks. To limit these risks, businesses must customize permissions to reflect departmental roles and hierarchy, ensuring that Copilot’s power is harnessed safely rather than becoming a liability.

How Hackers can Exploit Copilot

Default permissions or poorly managed settings in M365 create both direct and indirect opportunities for threat actors to exploit the company’s data via Copilot. The most apparent risk is unauthorised access to sensitive data, which can easily fall into the wrong hands. For instance, a cyber-criminal posing as a coworker might trick an unsuspecting employee into sharing confidential information. Because Copilot can quickly locate data—thanks to permissive M365 settings—the employee may unknowingly provide access without realizing its sensitivity.

Beyond accidental exposure, malicious insiders pose a deliberate threat. Rogue employees can leverage Copilot to extract and share confidential company information with competitors or cybercriminals. This insider risk becomes more dangerous when Copilot’s powerful data retrieval capabilities are left unchecked.

Account breaches present another critical concern. If a threat actor compromises an employee’s M365 account, they gain access to Copilot’s insights, enabling targeted spear-phishing campaigns. By impersonating legitimate employees and using information gathered from Copilot, hackers can manipulate others into disclosing sensitive data.

Finally, skilled attackers can exploit AI vulnerabilities through prompt engineering. While Copilot is designed to block harmful requests, advanced users understand how to bypass safeguards and manipulate the system. Known as jailbreaks, these methods allow threat actors to trick AI into providing restricted information. Given that all major language models have known exploits, bad actors will likely leverage these weaknesses to their advantage. That said, Microsoft has done a fairly good job of preventing jailbreaks with regards to Copilot. It’s important to remember though that no system is 100% perfect.

These scenarios highlight the urgent need for organizations to tighten SharePoint Online and OneDrive for Business permissions and implement robust security measures, ensuring they stay ahead of potential threats when enabling Copilot.

Maximizing Copilot’s Potential While Safeguarding your Data

While Copilot’s capabilities offer game-changing productivity gains, blindly enabling it without verifying your M365 security posture can expose organisations to significant risks. The good news? With the right security measures, businesses can harness Copilot’s potential without compromising their data. Here’s how to strike the perfect balance:

1) Customize M365 Permissions

Review and adjust M365’s default permissions to ensure they align with business needs. Focus on controlling access to SharePoint, OneDrive, and Teams, granting employees only the data they need for their roles. This is especially critical for regulated industries like healthcare and finance. Consider using advanced permission management tools to identify and fix weak configurations, as Microsoft’s built-in tools often fall short.

2) Schedule Regular Security Audits

Permissions aren’t ‘set and forget.’ Conduct routine cybersecurity audits to verify that access controls remain aligned with company policies. Regular checks ensure that sensitive information stays protected as roles and responsibilities evolve.

It would be advisable to use robust permission management solutions for increased efficacy and accuracy both in setting up M365 permissions and in auditing and updating them.

3) Train Employees on Security Best Practices

Educate staff on how to use Copilot effectively while emphasising security awareness. Employees should understand potential risks, including social engineering tactics and internal threats. Reinforce this training with regular updates to keep security top of mind.

4) Adopt a Zero-Trust Approach

Operate under the assumption that every request could be a threat. Implement a zero-trust security model that requires multi-factor authentication (MFA) and / or Passkeys for all accounts. This extra layer of protection makes it significantly harder for attackers to gain access.

In the evolving landscape of AI-driven tools, balancing innovation with security is key. By addressing M365’s default permissions and fostering a culture of security, organisations can confidently harness Copilot’s transformative potential—boosting efficiency without jeopardising sensitive data.