Watch a 48-minute security conference talk from Ekoparty 2024 where experts Inbar Raz and Michael Bargury expose critical security vulnerabilities in Microsoft Copilot Studio. Discover how enterprise bots built with this platform can be exploited to leak sensitive data by bypassing Data Loss Prevention (DLP) controls through insecure defaults and over-permissive plugins. Learn about the increased attack surface created when enterprise data and operations are handled by generative AI, particularly through prompt injection attacks. Get introduced to CopilotHunter, a new reconnaissance and exploitation tool that identifies public Copilots and leverages fuzzing and generative AI techniques to extract confidential enterprise information. The presentation includes real findings from scanning thousands of accessible bots, revealing exposed sensitive data and corporate credentials. Conclude with practical guidance on secure configurations, common pitfalls to avoid when using Microsoft's platform, and broader insights for developing secure and reliable Copilot implementations.
15 Ways to Break Microsoft Copilot Studio - Security Vulnerabilities and Mitigations
Ekoparty Security Conference via YouTube
Overview
Syllabus
15 Ways to Break Your Copilot - Inbar Raz & Michael Bargury - Ekoparty 2024
Taught by
Ekoparty Security Conference