Critical security vulnerability Copilot M365

Companies should review their audit logs

In Microsoft 365 Copilot, a new Critical security vulnerability known. A simple trick allowed users, including potentially malicious insiders, to access sensitive files — without this access being recorded in the official audit logs.

The vulnerability has now been fixed, but Microsoft has not published a CVE and has not actively informed its customers. For many companies, this means that audit trails could be incomplete before August 18, 2025 — with serious consequences for Security and compliance.

What has happened so far — and why this is problematic

On July 4, 2025, a security researcher from the technology company Pistachio discovered a vulnerability in Microsoft 365 Copilot:

• A simple command was used to prevent access to files from being logged.

• Audit protocols — actually essential for security and compliance — were bypassed as a result.

• Companies would run the risk of data leaks going unnoticed.

This is a compliance risk for regulated industries such as financial services, healthcare or public administration, as complete audit trails are required by law.

Microsoft’s silent fix — and the criticism of it 

On August 17 In 2025, Microsoft played out a fix. But instead of creating transparency, the company decided to

• No CVE for the weak point

• No active customer information

• No public announcement

The problem: Companies may not know that their audit logs may be incomplete until August 18. Even more explosive: According to Michael Bargury (CTO Zenity), a similar security vulnerability was reported over a year ago — without it being fixed at the time.

Risk for companies

Insider attacks remain invisible!

The vulnerability opens up new attack possibilities, especially for malicious insiders:

• Access sensitive files without alerting security or compliance teams

• Exfiltration of confidential data without forensic traceability

• Risk of incorrect safety analyses because logs can be incomplete

Companies must assume that access may have taken place unnoticed — especially if Microsoft 365 Copilot is used intensively.

Recommendations for companies

To minimize the risks, companies should act now:

1. Check audit logs

   • Check whether security-relevant accesses are missing

2. Actively addressing insider risks

   • Implement monitoring systems that work independently of Microsoft’s logging

3. Proactive security measures

   • Detect security vulnerabilities early before attackers exploit them

4. Awareness and training

   • Sensitize employees to AI risks and insider threats

Conclusion 

The vulnerability in M365 Copilot has been fixed, but the way it was handled raises questions about Microsoft’s transparency.

In times when AI is deeply integrated into business processes, companies must strengthen their own security strategy and not rely solely on the audit logs of a provider.

The DEFENDERBOX helps to detect security vulnerabilities in real time, prevent data leaks and make insider activities visible independently of Microsoft’s logging.

Proactive security strategies are crucial:

• Early detection of security vulnerabilitiesbefore attackers take advantage of them.

• Continuous monitoring of accesses — independent of the manufacturer’s audit logs.

• Awareness training and Sensitization for insider risks.

👉 Do you want to know how your IT security is doing? Find out now here Start cyber check. 

Stay vigilant — your IT will stay that way with us.