Analytics Story: Suspicious Microsoft 365 Copilot Activities
Description
Leverage advanced Splunk searches to detect and investigate suspicious activities targeting Microsoft 365 Copilot, including prompt injection attacks, agentic jailbreaks, information extraction attempts, compliance violations, and anomalous user behaviors.
Why it matters
Modern adversaries targeting AI systems employ increasingly sophisticated techniques that mirror traditional malware campaigns. Our detection framework identifies multi-stage attacks where threat actors use obfuscated prompts, layered social engineering, and persistent manipulation techniques to compromise AI security controls. These attacks often involve initial reconnaissance through seemingly benign requests, followed by escalated attempts to extract sensitive information or establish persistent behavioral modifications
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| M365 Copilot Graph API | N/A | o365:graph:api |
AuditLogs.SignIns |
| M365 Exported eDiscovery Prompts | N/A | csv |
csv |
References
- https://www.splunk.com/en_us/blog/artificial-intelligence/m365-copilot-log-analysis-splunk.html
- https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a
Source: GitHub | Version: 1