M365 Copilot Extensions Threat Monitoring
Query
// M365 Copilot Extensions Threat Monitoring
// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-m365-activity-7250789113249837056-D6rZ/
// This just keeps getting better and better! ๐ I absolutely refuse to accept Message Center MC908119, which claims that โAdmins will lose tenant-level control over who can use Copilot agents.โ ๐ค As a countermeasure, Iโve developed a Sentinel analytics rule that monitors all external URLs accessed by M365 Copilot extensions against my Threat Intelligence database for potential malicious activities. This rule is linked with a logic playbook automation to mark the user as compromised and isolate their access. ๐ฏ๐
// ConfusedPilot Attack Vector:
// https://www.linkedin.com/posts/0x534c_confusedpilot-activity-7252113628470943744-BgxN/
// M365 Copilot Extensions Threat Monitoring (Sentinel)
// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-copilot-activity-7251091656249090048-GfSg/
CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| extend PluginAccessURL = tostring(CopilotData.AccessedResources)
| mv-expand todynamic(PluginAccessURL)
| where PluginAccessURL has "SiteUrl"
| extend Url = tostring(PluginAccessURL.SiteUrl)
| extend Domain = tostring(parse_url(Url).Host)
| extend Action = tostring(PluginAccessURL.Action)
| join ThreatIntelligenceIndicator on $left.Domain == $right.DomainName
// MITRE ATT&CK
// T1116 Browser ExtensionsExplanation
This query is designed to monitor potential threats associated with Microsoft 365 Copilot extensions by analyzing cloud application events. Here's a breakdown of what the query does in simple terms:
-
Time Filter: It looks at events generated in the last hour.
-
Action Type: It specifically focuses on events where the action type is "CopilotInteraction," indicating interactions with Copilot extensions.
-
User and Copilot Data Extraction:
- It extracts the user ID and detailed Copilot event data from the raw event data.
- It identifies the specific Copilot plugin involved in the interaction.
-
URL and Domain Extraction:
- It extracts URLs accessed by the Copilot plugin.
- It expands these URLs to find specific site URLs accessed.
- It parses these URLs to extract the domain name.
-
Threat Intelligence Matching:
- It compares the extracted domain names against a threat intelligence database to identify potential malicious activities.
-
Automation and Response:
- If a match is found, the rule is linked with an automated playbook that marks the user as compromised and isolates their access to prevent further threats.
-
Reference to MITRE ATT&CK:
- The query references the MITRE ATT&CK framework, specifically T1116, which relates to the use of browser extensions for malicious purposes.
Overall, this query is part of a security monitoring strategy to detect and respond to potential threats from external URLs accessed by M365 Copilot extensions, ensuring that any suspicious activity is promptly addressed.
Details

Steven Lim
Released: October 16, 2024
Tables
Keywords
Operators
MITRE Techniques