Query Details

Microsoft 365 Copilot - Indirect prompt injection (XPIA) detected

Copilot Indirect Prompt Injection

Query

// Confirmed schema: LLMEventData.AccessedResources[].XPIADetected
// (Microsoft's native XPIA / indirect prompt injection classifier).
CopilotActivity
| where TimeGenerated > ago(1h)
| where RecordType == "CopilotInteraction"
| extend ThreadId = tostring(LLMEventData.ThreadId)
| mv-expand r = LLMEventData.AccessedResources
| extend
    SiteUrl = tostring(r.SiteUrl),
    ResourceType = tostring(r.Type),
    ResourceAction = tostring(r.Action),
    XPIADetected = tobool(r.XPIADetected)
| where XPIADetected == true
| summarize
    XpiaHits = count(),
    Sites = make_set(SiteUrl, 16),
    ResourceTypes = make_set(ResourceType, 8),
    Actions = make_set(ResourceAction, 8),
    Threads = make_set(ThreadId, 16),
    ClientIPs = make_set(SrcIpAddr, 16),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AgentId, AgentName, ActorName, ActorUserId, TenantId
| extend SrcIpAddr = tostring(ClientIPs[0])

Explanation

This query is designed to detect and alert on potential security threats involving Microsoft 365 Copilot, specifically focusing on indirect prompt injection attacks (XPIA). Here's a simplified breakdown:

  1. Purpose: The query identifies instances where an attacker might have embedded hidden instructions in documents, web pages, emails, or chats. These instructions aim to manipulate the behavior of Microsoft 365 Copilot without the user's knowledge.

  2. Detection Method: It uses Microsoft's built-in classifier to flag any suspicious interactions where Copilot accessed potentially malicious resources.

  3. Data Source: The query analyzes data from Microsoft Copilot activities over the past hour.

  4. Key Actions:

    • It checks for interactions where the XPIA flag is true, indicating a detected threat.
    • It summarizes the number of threats, the affected sites, resource types, actions, and user threads involved.
    • It identifies the first and last time the threat was seen.
  5. Severity and Response: The severity of this detection is marked as high, and it triggers an alert if any threats are found. The alert groups related incidents by cloud application and user account for better incident management.

  6. Output: The query provides details about the affected user, the agent (Copilot), and the source URLs of the malicious content. It also maps relevant entities like cloud applications, user accounts, and IP addresses for further investigation.

  7. Automation: If a threat is detected, an incident is automatically created to ensure timely response and investigation.

Overall, this query helps in identifying and responding to security threats targeting Microsoft 365 Copilot through indirect prompt injection attacks.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotActivityLLMEventDataAccessedResourcesSiteUrlResourceTypeActionXPIADetectedTimeGeneratedRecordThreadIdAgentNameActorUserTenantSrcIpAddrCloudApplicationAccountAlertIncidentSentinelAsCodeCustomAI

Operators

//|where>ago()==extendtostring()mv-expandtobool()summarizecount()make_set()min()max()by

Severity

High

Tactics

InitialAccessExecution

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub