The Zenity Security Assessment Hub

Visualize and Understand your risks from AI Agents, Copilots, and Low-Code Development

 

Zenity offers a variety of security assessment tools for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform. With them, security leaders and practitioners can take a Red Team approach and immediately identify and reduce risks stemming from powerful business-enablement platforms. 

Our security assessment tools include:

Copilot Hunter

PowerDump

Copilot Connector & Chat Automator

Copilot Interactive Chat

Copilot M365 Dump

Copilot M365 Whoami

Install a Backdoor

Internal Phishing

No-Code Malware

Spearphishing

Copilot Hunter

Copilot Hunter has two modules

  • Deep Scan which finds open Copilot Studio bots based on domains or tenant IDS
  • Enum which compiles lists of environment and tenant IDs from Power Platform API subdomains 

PowerDump

  • Generate access tokens to fetch available resources in Microsoft PowerApps
  • Perform advanced actions on the discovered resources
  • Dump all available information in Power Platform into a local directory
  • Basic GUI for presenting the collected resources and data

Copilot Connector & Chat Automator

  • Interact with Copilot for Microsoft 365 through WebSocket messages and undocumented APIs to implement any process that requires interaction with Copilot
  • Facilitate automated processes with Copilot, handling all interactions (prompts and responses) and ease implementation, so security teams can focus on the actual business logic of the process

Copilot Interactive Chat

  • Enable chat with Copilot M365 through the powerpwn terminal

Copilot M365 Dump

  • Explore Microsoft Copilot 365 to extract emails and their contents, enumerate and extract Sharepoint site content, and harvest credentials and passwords

Copilot M365 Whoami

  • Extract information about the current user of Microsoft 365 Copilot including: 
  • Personal data like their name, title, email, manager
  • What Sharepoint sites, documents, and sensitive data they have access to
  • Other details like their weekly schedule, emails, and collaborators and contact information
  • And more!

Install a Backdoor

  • Maintain persistence on Power Platform by installing an automation factory that creates, executes, and delete arbitrary commands

Internal Phishing

  • Set up internal phishing applications on Microsoft-owned domains, which automatically authenticates as users click and go to the link

No-Code Malware

  • Repurpose trusted executables, service accounts, and cloud services in the Microsoft Power Platform ecosystem to power a malware operation

Spearphishing

  • Explore the latest interactions with compromised accounts or user of its victims
  • Craft highly personalized emails to send to targets

If you’d like to learn more about any of these modules, or want some help in running the scans yourself, get in touch with us and we’ll be happy to walk you through it, analyze the results, and more!

Recent blog posts

May 2nd, 2024

Securing Copilot for Microsoft 365: New AISPM Capabilities from Zenity
In the realm of modern enterprise productivity suites, Copilot for Microsoft 365 stands as a huge driver for efficiency, offering business users the ability to aggregate, summarize, and process data within the M365 suite of tools. However, for organizations with diverse infrastructure and applications, and the need for real-time data interactions, the out-of-the-box functionality requires…
Blog
January 3rd, 2024

Securely Power Up Business Intelligence: Zenity Introduces Security & Governance Support for PowerBI
Businesses of all shapes and sizes are leveraging Microsoft Power BI to find insights within their own data. This standalone tool (not a part of Power Platform, despite its name) has emerged as a powerful tool, empowering all business users, not just trained data scientists, to transform raw data into meaningful insights. From data visualization…
Blog
December 21st, 2023

A Year in the Life: Zenity Reaches New Heights in 2023
At Zenity, 2023 was a year of tremendous growth, exciting performance, and important milestones. I am so proud of our team as we strive to support our customers, partners, as well as each other during what was a challenging, but fruitful year for all of us. Growing the Team Globally In keeping with my belief…
Blog

Want to get in touch?

We’d love to chat with you about how your team can unleash copilots and low-code development