Living off Microsoft Copilot

Explore a comprehensive analysis of Microsoft Copilot's security vulnerabilities in this 49-minute OWASP Foundation talk by Michael Bargury. Discover how hackers can exploit Copilot post-compromise to covertly search for sensitive data, exfiltrate information without generating logs, and even use it for phishing and social engineering attacks. Learn about how Copilot plugins can be weaponized to install backdoors into other users' interactions, enabling data theft and AI-based social engineering while circumventing built-in security controls. The presentation introduces LOLCopilot, a red-teaming tool for ethical hackers to demonstrate these vulnerabilities in any M365 Copilot-enabled tenant with default configuration. Gain valuable insights on detection methods and hardening techniques to protect against malicious insiders and threat actors with Copilot access.