Query Details
Copilot Indirect Prompt Injection
Query
id: 3c5b8d29-4e7f-4b1a-9c2d-8f7e6a5b4c30
name: Microsoft 365 Copilot - Indirect prompt injection (XPIA) detected
description: |
Detects Microsoft 365 Copilot interactions where the cross-prompt injection
attack (XPIA) classifier flagged a grounding resource. This is Microsoft's
native indirect prompt injection signal exposed on the
LLMEventData.AccessedResources[].XPIADetected boolean.
An XPIA hit means an attacker planted instructions (typically markdown or
hidden text) in a document, web page, email, or chat that Copilot grounded
on, attempting to hijack the agent's behaviour on behalf of the legitimate
user. This rule surfaces the affected user, agent, and the source URLs the
poisoned content came from.
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
dataTypes:
- CopilotActivity
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1566
- T1059
query: |
// Confirmed schema: LLMEventData.AccessedResources[].XPIADetected
// (Microsoft's native XPIA / indirect prompt injection classifier).
CopilotActivity
| where TimeGenerated > ago(1h)
| where RecordType == "CopilotInteraction"
| extend ThreadId = tostring(LLMEventData.ThreadId)
| mv-expand r = LLMEventData.AccessedResources
| extend
SiteUrl = tostring(r.SiteUrl),
ResourceType = tostring(r.Type),
ResourceAction = tostring(r.Action),
XPIADetected = tobool(r.XPIADetected)
| where XPIADetected == true
| summarize
XpiaHits = count(),
Sites = make_set(SiteUrl, 16),
ResourceTypes = make_set(ResourceType, 8),
Actions = make_set(ResourceAction, 8),
Threads = make_set(ThreadId, 16),
ClientIPs = make_set(SrcIpAddr, 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AgentId, AgentName, ActorName, ActorUserId, TenantId
| extend SrcIpAddr = tostring(ClientIPs[0])
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: AgentName
- identifier: AppId
columnName: AgentId
- entityType: Account
fieldMappings:
- identifier: Name
columnName: ActorName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: Selected
groupByEntities:
- CloudApplication
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI
Explanation
This query is designed to detect and alert on potential security threats involving Microsoft 365 Copilot, specifically focusing on indirect prompt injection attacks (XPIA). Here's a simplified breakdown:
-
Purpose: The query identifies instances where an attacker might have embedded hidden instructions in documents, web pages, emails, or chats. These instructions aim to manipulate the behavior of Microsoft 365 Copilot without the user's knowledge.
-
Detection Method: It uses Microsoft's built-in classifier to flag any suspicious interactions where Copilot accessed potentially malicious resources.
-
Data Source: The query analyzes data from Microsoft Copilot activities over the past hour.
-
Key Actions:
- It checks for interactions where the XPIA flag is true, indicating a detected threat.
- It summarizes the number of threats, the affected sites, resource types, actions, and user threads involved.
- It identifies the first and last time the threat was seen.
-
Severity and Response: The severity of this detection is marked as high, and it triggers an alert if any threats are found. The alert groups related incidents by cloud application and user account for better incident management.
-
Output: The query provides details about the affected user, the agent (Copilot), and the source URLs of the malicious content. It also maps relevant entities like cloud applications, user accounts, and IP addresses for further investigation.
-
Automation: If a threat is detected, an incident is automatically created to ensure timely response and investigation.
Overall, this query helps in identifying and responding to security threats targeting Microsoft 365 Copilot through indirect prompt injection attacks.
Details
David Alonso
Released: May 20, 2026
Tables
Keywords
Operators