Links and materials for 15 Ways to Break Your Copilot

This is a post with all of the links and additional materials for a talk I gave at BlackHat USA 2024 titled 15 Ways to Break Your Copilot.

Table of Contents

• Slides and demos

  • Demos:

• Tools

• Hardening recommendations

• Other talks mentioned

  • On credentials sharing

  • On sharing bots with everyone in the org, includin …

  • On bypassing the Power Platform DLP

Slides and demos

Slides are here. A demo is up on YouTube.

Demos:

• Scanning the Internet to find open Copilot Studio bots and extract information from them, by Avishai Efrat - video

Tools

CopilotHunter is a tool we’re dropping today. It allows you to scan for publicly accessible Copilot Studio bots and extract information from them. You can point it at your tenant, or scan the entire internet.

Hardening recommendations

1. Go Hack Yourself with powerpwn!

   GitHub - mbrg/power-pwn: An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform

   An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn

   github.com/mbrg/power-pwn

   

2. Help your users avoid these mistakes and make secure choices easy. Follow the frameworks to create a security program that works with citizen developers and professional developers.

   OWASP Low-Code/No-Code Top 10 | OWASP Foundation

   The primary goal of the

   owasp.org/www-project-top-10-low-code-no-code-security-risks

   

   LLMRisks Archive - OWASP Top 10 for LLM & Generative AI Security

   genai.owasp.org/llm-top-10

3. Harden your environment

   1. Turn off the following toggles in the Power Platform DLP:

      1. “Chat without Microsoft Entra ID authentication in Coplot Studio” to turn off publicly facing bots with no authentication.

      2. “Facebook channel in Copilot Studio“, “Direct line channels in Copilot Studio“, “Omnichannel in Copilot Studio“ to turn off social channels outside of your corporate boundaries.

   2. Monitor the audit logs for suspicious activity.

Other talks mentioned

On credentials sharing

Copilot Studio bots can be embedded with maker credentials. This actually was the default for many months, and is still a popular option today (up to the maker..). This is a recurring security issue with low-code/no-code apps.

On sharing bots with everyone in the org, including guests

This setting can actually result in credentials being shared with everyone in your tenant. Last year at BlackHat, I showed how this can be used by guests to gain full dumps of your SQL servers and Azure resources.

We also released PowerPwn, an open source offensive tool that allows you to try this out in your tenant.

On bypassing the Power Platform DLP

The Power Platform DLP is not a security mechanism, its a governance tool - a list of toggles you can set up to turn off platform features. It’s also very easy to bypass.