Microsoft 365 Copilot Vulnerability Allegedly Allowed File Access Without Audit Log Entry

July 4, 2025

A reported vulnerability in Microsoft 365 Copilot purportedly enabled users to access and summarize files without generating audit log entries, raising concerns about traceability, compliance, and the need for safe and secure AI practices. Security researcher Zack Korman disclosed this issue to Microsoft, which classified it as 'important' and allegedly fixed it on August 17, 2025, but chose not to notify customers or assign a CVE.

For those interested in shaping trustworthy AI governance and promoting harm prevention, explore how the HISPI Project Cerebellum TAIM (Govern) can help map, measure, and manage incidents like this one.

Matched TAIM controls

Suggested mapping from embedding similarity (not a formal assessment). Browse all TAIM controls

MANAGE 4.3 — similarity 0.633, rank 1. TAIM detail and related incidents →
MEASURE 2.10 — similarity 0.633, rank 2. TAIM detail and related incidents →
MEASURE 2.6 — similarity 0.627, rank 3. TAIM detail and related incidents →

Alleged deployer: microsoft
Alleged developer: microsoft
Alleged harmed parties: microsoft-365-copilot-enterprise-customers, organizations-relying-on-audit-logs-for-compliance-and-security

Source

Data from the AI Incident Database (AIID). Cite this incident: https://incidentdatabase.ai/cite/1218

Data source

Incident data is from the AI Incident Database (AIID).

When citing the database as a whole, please use:

McGregor, S. (2021) Preventing Repeated Real World AI Failures by Cataloging Incidents: The AI Incident Database. In Proceedings of the Thirty-Third Annual Conference on Innovative Applications of Artificial Intelligence (IAAI-21). Virtual Conference.

Pre-print on arXiv · Database snapshots & citation guide

We use weekly snapshots of the AIID for stable reference. For the official suggested citation of a specific incident, use the “Cite this incident” link on each incident page.