Microsoft 365 Copilot - Sensitivity label downgrade in agent output
Copilot Sensitivity Label Downgrade
Query
let highLabels = dynamic([
"confidential", "highly confidential", "restricted",
"internal only", "secret", "top secret"
]);
let lowerTrustSinks = dynamic([
"/personal/", "guest", "external", "anonymous",
"outlook.com", "gmail.com", "hotmail.com",
"proton.me", "yahoo.com"
]);
CopilotActivity
| where TimeGenerated > ago(7d)
| where RecordType == "CopilotInteraction"
| extend
RagSourcesText = tolower(tostring(LLMEventData.RagSources)),
ResponseText = tolower(tostring(LLMEventData.Response)),
OutputLabel = tolower(tostring(column_ifexists('OutputSensitivityLabel', ''))),
RecipientsText = tolower(tostring(column_ifexists('Recipients', ''))),
DestinationUri = tolower(tostring(column_ifexists('DestinationUri', '')))
| extend
SourceHasHighLabel = RagSourcesText has_any (highLabels),
OutputHasHighLabel = OutputLabel has_any (highLabels),
ToLowerTrustSink = RecipientsText has_any (lowerTrustSinks)
or DestinationUri has_any (lowerTrustSinks)
| where SourceHasHighLabel and (not(OutputHasHighLabel) or ToLowerTrustSink)
| project TimeGenerated, AgentId, AgentName, ActorName,
SourceHasHighLabel, OutputHasHighLabel, ToLowerTrustSink,
OutputLabel, RecipientsText, DestinationUri, TenantId
| order by TimeGenerated descExplanation
This query is designed to identify potential data leaks involving Microsoft 365 Copilot. It specifically looks for instances where Copilot generates responses based on highly classified documents (like "Confidential" or "Top Secret") but sends the output to less secure destinations (such as external email addresses or public sites) without maintaining the original sensitivity label.
Here's a breakdown of what the query does:
-
Define High Sensitivity Labels: It sets up a list of labels that indicate high sensitivity, such as "confidential" or "top secret."
-
Define Lower Trust Destinations: It also defines a list of destinations considered less secure, including personal email domains and external or guest users.
-
Filter Recent Copilot Activities: The query looks at Copilot activities from the past seven days.
-
Extract and Normalize Data: It extracts and converts relevant data to lowercase for consistency, including the source document labels, response text, output label, recipients, and destination URLs.
-
Identify Potential Leaks: It checks if the source document had a high sensitivity label but the output either lost this label or was sent to a lower trust destination.
-
Output Relevant Information: The query then lists details about these incidents, such as the time, agent involved, and destination, sorted by the most recent events.
The query is tagged with tactics and techniques related to data exfiltration and collection, indicating its focus on identifying unauthorized data sharing.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Tactics