An M365 Copilot flaw was recently discovered that allows users to access file information without the activity being recorded in the audit log. This issue cropped up by chance, rather than being the result of a complex exploit. Zack Korman, CTO at Pistachio, said the vulnerability could be exploited by malicious insiders to go undetected when accessing sensitive files, posing a significant problem for organizations that rely on accurate audit logs for security, legal compliance, and incident response.
Korman reported the flaw to Microsoft and the company has fixed the vulnerability as of a few days ago, patching Copilot directly. Korman decided to disclose the flaw himself after Microsoft said it wouldn’t tell customers. Korman argued this was wrong and believes businesses should know that they may have incomplete audit logs.
According to Korman, Microsoft’s MSRC (Microsoft Security Response Center) failed to follow its own published policy for handling vulnerability reports. The status of the report was changed incorrectly and without explanation. The CTO likened the process to the “Domino’s Pizza Tracker for security researchers”, rather than a reflection of the work being done. MSRC initially said that it wouldn’t be issuing a CVE number because customers don’t need to take action as it was classified as “important” rather than “critical”.
Microsoft informed the researcher that it had no plans to disclose the vulnerability to customers, which he strongly disagrees with, arguing that organizations need to know their audit logs may be incomplete. The silence on Microsoft"s part is problematic for regulated entities, such as those subject to HIPAA, who rely on audit logs to meet compliance requirements.
An incomplete audit log has serious consequences for organizations in detecting, investigating, and responding to incidents. The silent fix from Microsoft raises questions about its responsibility to its users, especially as the vulnerability isn’t too hard to trigger. Microsoft’s refusal to issue a CVE or notify users undermines transparency. Organizations may need to review recent audit logs for gaps or inaccuracies.
Image via Depositphotos.com