LoginBook Demo

Links and materials for 15 Ways to Break Your Copilot

Portrait of Michael Bargury
Michael Bargury
Links, source code, tools and slides for BlackHat USA 2024
blog post

This is a post with all of the links and additional materials for a talk I gave at BlackHat USA 2024 titled 15 Ways to Break Your Copilot.

Table of Contents

Slides and demos

Slides are here. A demo is up on YouTube.

Demos:

  • Scanning the Internet to find open Copilot Studio bots and extract information from them, by Avishai Efrat - video

Tools

CopilotHunter is a tool we’re dropping today. It allows you to scan for publicly accessible Copilot Studio bots and extract information from them. You can point it at your tenant, or scan the entire internet.

GitHub - mbrg/power-pwn: An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform

Hardening recommendations

  1. Go Hack Yourself with powerpwn!

GitHub - mbrg/power-pwn: An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform

  1. Help your users avoid these mistakes and make secure choices easy. Follow the frameworks to create a security program that works with citizen developers and professional developers.

OWASP Low-Code/No-Code Top 10 | OWASP Foundation

LLMRisks Archive - OWASP Top 10 for LLM & Generative AI Security

  1. Harden your environment
    1. Turn off the following toggles in the Power Platform DLP:
      1. “Chat without Microsoft Entra ID authentication in Coplot Studio” to turn off publicly facing bots with no authentication.
      2. “Facebook channel in Copilot Studio“, “Direct line channels in Copilot Studio“, “Omnichannel in Copilot Studio“ to turn off social channels outside of your corporate boundaries.
    2. Monitor the audit logs for suspicious activity.

Other talks mentioned

On credentials sharing

Copilot Studio bots can be embedded with maker credentials. This actually was the default for many months, and is still a popular option today (up to the maker..). This is a recurring security issue with low-code/no-code apps.

blog post

On sharing bots with everyone in the org, including guests

This setting can actually result in credentials being shared with everyone in your tenant. Last year at BlackHat, I showed how this can be used by guests to gain full dumps of your SQL servers and Azure resources.

We also released PowerPwn, an open source offensive tool that allows you to try this out in your tenant.

blog post

On bypassing the Power Platform DLP

The Power Platform DLP is not a security mechanism, its a governance tool - a list of toggles you can set up to turn off platform features. It’s also very easy to bypass.

blog post

Securely Adopt Microsoft Copilot Studio With Zenity

All Posts

Related posts

Techniques from Zenity's GenAI Attacks Matrix Incorporated into MITRE ATLAS to Track Emerging AI Threats

Techniques from Zenity's GenAI Attacks Matrix Incorporated into MITRE ATLAS to Track Emerging AI Threats

A case study and 8 techniques were added to MITRE ATLAS from the Gen AI Attacks Matrix

Tools
TTPs.ai for GenAI-Targeted Attacks

TTPs.ai for GenAI-Targeted Attacks

Guiding threat simulation and defense for Copilots and Agents

ToolsSecurity Research
A Summary of Zenity Research Published at BlackHat 2024

A Summary of Zenity Research Published at BlackHat 2024

New Attack Vectors Discovered for Initial Access and Post-Compromise

TalksToolsSecurity Research

Zenity Security Assessment Hub

10 free, open-source tools to help security teams to identify and understand immediate risks

Assess Your Risk