KQL Search

Query Details

Copilot Sensitivity Label Downgrade

Query

id: 6c1e0f70-9d4b-4032-1e5f-3b8c0d1e4f50
name: Microsoft 365 Copilot - Sensitivity label downgrade in agent output
description: |
  Hunts for Microsoft 365 Copilot responses that reference highly
  classified grounding documents (Confidential, Highly Confidential,
  Restricted) but produce output sent to a lower-trust surface
  (external recipient, public site, personal OneDrive, chat with guest
  users) without preserving the label.

  Detects label-stripping data leaks that bypass the platform's
  built-in label inheritance.
query: |
  let highLabels = dynamic([
      "confidential", "highly confidential", "restricted",
      "internal only", "secret", "top secret"
  ]);
  let lowerTrustSinks = dynamic([
      "/personal/", "guest", "external", "anonymous",
      "outlook.com", "gmail.com", "hotmail.com",
      "proton.me", "yahoo.com"
  ]);
  CopilotActivity
  | where TimeGenerated > ago(7d)
  | where RecordType == "CopilotInteraction"
  | extend
      RagSourcesText = tolower(tostring(LLMEventData.RagSources)),
      ResponseText   = tolower(tostring(LLMEventData.Response)),
      OutputLabel    = tolower(tostring(column_ifexists('OutputSensitivityLabel', ''))),
      RecipientsText = tolower(tostring(column_ifexists('Recipients', ''))),
      DestinationUri = tolower(tostring(column_ifexists('DestinationUri', '')))
  | extend
      SourceHasHighLabel = RagSourcesText has_any (highLabels),
      OutputHasHighLabel = OutputLabel has_any (highLabels),
      ToLowerTrustSink   = RecipientsText has_any (lowerTrustSinks)
                          or DestinationUri has_any (lowerTrustSinks)
  | where SourceHasHighLabel and (not(OutputHasHighLabel) or ToLowerTrustSink)
  | project TimeGenerated, AgentId, AgentName, ActorName,
            SourceHasHighLabel, OutputHasHighLabel, ToLowerTrustSink,
            OutputLabel, RecipientsText, DestinationUri, TenantId
  | order by TimeGenerated desc
tactics:
  - Exfiltration
  - Collection
techniques:
  - T1530
  - T1213
tags:
  - Sentinel-As-Code
  - Custom
  - Copilot
  - AI

Explanation

This query is designed to identify potential data leaks involving Microsoft 365 Copilot. It specifically looks for instances where Copilot generates responses based on highly classified documents (like "Confidential" or "Top Secret") but sends the output to less secure destinations (such as external email addresses or public sites) without maintaining the original sensitivity label.

Here's a breakdown of what the query does:

  1. Define High Sensitivity Labels: It sets up a list of labels that indicate high sensitivity, such as "confidential" or "top secret."

  2. Define Lower Trust Destinations: It also defines a list of destinations considered less secure, including personal email domains and external or guest users.

  3. Filter Recent Copilot Activities: The query looks at Copilot activities from the past seven days.

  4. Extract and Normalize Data: It extracts and converts relevant data to lowercase for consistency, including the source document labels, response text, output label, recipients, and destination URLs.

  5. Identify Potential Leaks: It checks if the source document had a high sensitivity label but the output either lost this label or was sent to a lower trust destination.

  6. Output Relevant Information: The query then lists details about these incidents, such as the time, agent involved, and destination, sorted by the most recent events.

The query is tagged with tactics and techniques related to data exfiltration and collection, indicating its focus on identifying unauthorized data sharing.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotSensitivityLabelDataLeaksRecipientsDestinationTenantAgentActorSourcesResponseOutput

Operators

letdynamicwhereextendtolowertostringcolumn_ifexistshas_anynotprojectorder byago

Actions