Critical Vulnerability in M365 Copilot: Agent Policy Flaw & Bypass Audit Logs Flaw

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 5.00 out of 5)
Loading...
Published: August 26, 2025
Microsoft Copilot Security Flaws

The most interesting thing about Microsoft Copilot right now isn’t what it can do for productivity. It’s what it quietly exposes.

Over the last few weeks, two separate vulnerabilities came to light, both inside Copilot for Microsoft 365, both serious, and both raising the same uncomfortable question. How much can enterprises really trust AI in the middle of their most sensitive systems?

Flaw 1: Audit Logs That Lie

Security researcher Zack Korman discovered in July 2025 that you could ask Copilot to summarise sensitive company files, and Copilot would do it without leaving any trace in the audit logs.

He found that you could ask M365 Copilot to summarise any company file without leaving a trace in the audit logs. All you had to do was ask Copilot to summarise a document without providing a link to it.

Read Also: Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts

Michael Bargury had actually demonstrated this exact problem at Black Hat in August 2024. But Microsoft didn’t bother fixing it until Korman reported it again in July 2025. Even then, they classified it as merely “important” rather than “critical”, and they fixed these bugs silently without telling users about it.

This means if your organisation used Copilot before August 18th, 2025, your audit logs are incomplete. But Microsoft won’t tell you that.

Flaw 2: Policies That Don’t Protect

At almost the same time, Microsoft engineers uncovered another problem.

The second flaw was even more fundamental. Microsoft’s Copilot Agent Policies, the rules that determine who can access which AI agents, weren’t actually being enforced where it mattered.

Read Also: Gmail Phishing with Prompt Injection: Tricks Humans and AI. Are You Ready?

Administrators could set up elaborate access controls through the Microsoft 365 admin centre. They could restrict sensitive AI agents to only privileged users. But these restrictions only applied to the admin interface itself, not to the underlying API that actually runs the agents.

Any user with basic Microsoft 365 access could query the Graph API directly and discover all the AI agents in the organisation, including those marked as “private”. Worse, they could then invoke these agents without any policy checks.

Microsoft rated it critical (CVSS 9.1), patched it in August, and did at least notify admins this time.

Why This Matters?

These do not just represent bugs. They are symptoms of a problem deeper with how we conceive of AI security.

Both vulnerabilities reside in the same theoretical reasoning mistake of considering AI systems the same way one would consider traditional software. Traditional software is well-defined.

You either have access to a file or you don’t. AI systems are not the same. However, there are ways in which they synthesise information across sources that blur those boundaries.

When Copilot summarises a document not linked directly to, is that accessing the document? According to the Microsoft audit system, when an employee makes a request through Graph API to visit the agent information, are they bypassing the policy controls?

Microsoft’s enforcement mechanism did not think so. The consequence is a security paradigm that functions in theory but fails in practice.

The Transparency Problem

Perhaps more troubling than the vulnerabilities themselves is how Microsoft handled disclosure. They fixed the audit logging issue quietly, without telling customers their logs were incomplete. They only assigned a CVE to the agent policy flaw because of its severity score.

This creates a trust problem. If Microsoft won’t tell you about “important” security issues, how can you make informed decisions about using their products? How can you explain to auditors or regulators why your compliance data might be wrong?

Cloud providers argue that not every vulnerability needs public disclosure. They say it would create alert fatigue if they announced every security fix. But this position assumes customers trust the provider to make the right decisions about what’s important.

Recommendations

Assume that your historical audit data is not complete in case you use Microsoft Copilot. Virtualise your agent settings so that the agents that are required are the ones that are set up. Also, watch out when monitoring Graph APIs in case of unusual pattern use.

And more essentially, you have to update your cognitive map of AI security. Such systems do not observe conventional limits in the manner to which we are accustomed. And the complexity that renders them useful at the same time renders them unpredictable.

Whether security holes will exist in AI systems is not the question. They will. The question is whether the companies constructing them will be open about such imperfections when they arise

That transparency can easily be something to which you feel you should not be certain.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.