Forum Discussion
Why Copilot Access to “Restricted” Passwords Isn’t as Big an Issue as Uploading Files to ChatGPT
Some sites picked up the Microsoft 365 Copilot penetration test that allegedly proved how Copilot can extract sensitive data from SharePoint Online. When you look at the test, it depends on three major assumptions: that an attacker compromises a tenant, poor tenant management, and failure to deploy available tools. Other issues, like users uploading files from SharePoint and OneDrive to process on ChatGPT, are more of a priority for tenant administrators.
https://office365itpros.com/2025/05/20/microsoft-365-copilot-pen-test2/
2 Replies
Labeling isn't enough because a sensitivity label does not protect the document metadata, which means that confidential files can still turn up in Copilot Chat searches (see https://practical365.com/microsoft-365-chat-blocks/). RCD or the DLP policy for Copilot (which uses sensitivity labels to indicate which files should be blocked from Copilot) are the right tools to use. All; explained in the article.
Hello! Wasn't this avoidable if correct labeling in place?
