Microsoft 365 Copilot - Indirect prompt injection (XPIA) detected
Copilot Indirect Prompt Injection
Query
// Confirmed schema: LLMEventData.AccessedResources[].XPIADetected
// (Microsoft's native XPIA / indirect prompt injection classifier).
CopilotActivity
| where TimeGenerated > ago(1h)
| where RecordType == "CopilotInteraction"
| extend ThreadId = tostring(LLMEventData.ThreadId)
| mv-expand r = LLMEventData.AccessedResources
| extend
SiteUrl = tostring(r.SiteUrl),
ResourceType = tostring(r.Type),
ResourceAction = tostring(r.Action),
XPIADetected = tobool(r.XPIADetected)
| where XPIADetected == true
| summarize
XpiaHits = count(),
Sites = make_set(SiteUrl, 16),
ResourceTypes = make_set(ResourceType, 8),
Actions = make_set(ResourceAction, 8),
Threads = make_set(ThreadId, 16),
ClientIPs = make_set(SrcIpAddr, 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AgentId, AgentName, ActorName, ActorUserId, TenantId
| extend SrcIpAddr = tostring(ClientIPs[0])Explanation
This query is designed to detect and alert on potential security threats involving Microsoft 365 Copilot, specifically focusing on indirect prompt injection attacks (XPIA). Here's a simplified breakdown:
-
Purpose: The query identifies instances where an attacker might have embedded hidden instructions in documents, web pages, emails, or chats. These instructions aim to manipulate the behavior of Microsoft 365 Copilot without the user's knowledge.
-
Detection Method: It uses Microsoft's built-in classifier to flag any suspicious interactions where Copilot accessed potentially malicious resources.
-
Data Source: The query analyzes data from Microsoft Copilot activities over the past hour.
-
Key Actions:
- It checks for interactions where the XPIA flag is true, indicating a detected threat.
- It summarizes the number of threats, the affected sites, resource types, actions, and user threads involved.
- It identifies the first and last time the threat was seen.
-
Severity and Response: The severity of this detection is marked as high, and it triggers an alert if any threats are found. The alert groups related incidents by cloud application and user account for better incident management.
-
Output: The query provides details about the affected user, the agent (Copilot), and the source URLs of the malicious content. It also maps relevant entities like cloud applications, user accounts, and IP addresses for further investigation.
-
Automation: If a threat is detected, an incident is automatically created to ensure timely response and investigation.
Overall, this query helps in identifying and responding to security threats targeting Microsoft 365 Copilot through indirect prompt injection attacks.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H