The Register
Microsoft has chosen not to tell customers about a recently patched vulnerability in M365 Copilot.
The issue allowed M365 Copilot to access the content of enterprise files without leaving a trace in corporate audit logs.
To do this, a malicious insider just had to ask M365 Copilot to summarize a company file without providing a link to it, explained Zack Korman, CTO of cybersecurity firm Pistachio, in a blog post this week.
Your audit log is wrong, and Microsoft doesn’t plan on telling you
Korman wrote that on July 4th, 2025, he discovered that he could prevent M365 Copilot from logging file summary interactions simply by asking.
"Given the problems that creates, both for security and legal compliance, I immediately reported it to Microsoft through their MSRC portal," he blogged.
"An
NBC Southern California
Atlanta Magazine
NBC News
Raw Story