Microsoft Fixes Critical Copilot Flaw Allowing Audit Log Evasion
Silent Microsoft 365 Copilot flaw fix raises concerns over hidden data breaches and disclosure practices.
Key Takeaways:
- A critical flaw in Microsoft 365 Copilot allowed hidden access to enterprise files.
- Security logs could be bypassed, leaving no trace of data theft.
- Microsoft quietly patched the issue without notifying customers.
Microsoft has quietly patched a critical flaw in Microsoft 365 Copilot that could allow hackers to access and summarize enterprise files without generating any record in the audit log. This loophole meant attackers could steal sensitive data while leaving no trace for security teams to detect.
In a blog post, Zack Korman, CTO of cybersecurity firm Pistachio, detailed that he discovered the Microsoft 365 Copilot flaw on July 4, 2025. Typically, whenever Copilot accesses a file on behalf of a user, the action is logged in the Microsoft 365 audit log, a key feature for security monitoring and compliance.
How hackers could evade audit logs?
However, the researcher discovered that if a hacker instructed Microsoft 365 Copilot not to include a reference link, the AI assistant would still access and summarize the file, but without creating any entry in the audit logs. This loophole meant attackers could steal sensitive data without leaving a trace.
“Given the problems that creates, both for security and legal compliance, I immediately reported it to Microsoft through their MSRC portal,” explained Zack Korman. “And while they did fix the issue, classifying this issue as an ‘important’ vulnerability, they also decided not to notify customers or publicize that this happened. What that means is that your audit log is wrong, and Microsoft doesn’t plan on telling you that.”
Microsoft 365 Copilot flaw patched without disclosure
Korman reported the vulnerability to Microsoft’s Security Response Center last month. The company eventually fixed the issue on August 17 and classified it as ‘important.’ However, Microsoft chose not to assign a CVE (Common Vulnerabilities and Exposures) identifier or notify its customers.
This wasn’t the first time the Microsoft 365 Copilot vulnerability was exposed. In August 2024, Michael Bargury, CTO of security firm Zenity, disclosed the same issue at the Black Hat conference. He demonstrated how a jailbreak technique could bypass Microsoft 365 Copilot’s security controls.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
