Microsoft has enhanced the security of M365 Copilot Chat by integrating SafeLinks protection from Defender for Office 365. This feature ensures URL safety at the time of click across various platforms, including Desktop, Web, Outlook Mobile, Teams Mobile, and the Microsoft 365 Copilot Mobile app (iOS and Android).
Key Features:
- Time-of-Click Protection: SafeLinks scans URLs in real-time when clicked within Copilot Chat.
- URL Protection Reports: Security teams can monitor threats and actions taken via summary and trend reports.
- Enhanced Investigation: Analysts can trace the origin of malicious URLs in hunting and investigation workflows.
- Native URL Reputation Check: For users without Defender for Office 365, Copilot Chat performs a basic URL reputation check.
🔗 Reference: Microsoft Security Blog
You Should Know:
How SafeLinks Works in Defender for Office 365
SafeLinks rewrites URLs in emails and documents, scanning them at click-time. Here’s how to verify and test SafeLinks:
Check SafeLinks Protection Status (PowerShell)
Get-SafeLinksPolicy | Select Name,EnableSafeLinksForTeams,EnableSafeLinksForEmail
Enable SafeLinks for Teams (If Not Active)
Set-SafeLinksPolicy -Identity "Default" -EnableSafeLinksForTeams $true
Simulate a SafeLinks Click Test
Use a test malicious URL (e.g., `http://example.com/malicious`) in a Copilot Chat session and verify if it gets blocked.
Monitor SafeLinks Logs
Get-UrlTrace -DomainFilter "example.com" -StartDate (Get-Date).AddDays(-1)
Linux/Mac Alternative: cURL for URL Reputation Check
For non-Windows users, manually check a URL’s reputation:
curl -s "https://www.virustotal.com/api/v3/urls" --header "x-apikey: YOUR_API_KEY" --data-urlencode "url=http://example.com" | jq .
Expected Incident Response Steps
1. Identify Malicious URL:
Get-UrlTrace -Url "http://example.com/malicious"
2. Block URL Globally:
New-TenantAllowBlockList -Block -Urls "http://example.com/malicious"
3. Hunt for Compromised Users:
OfficeActivity | where Url contains "example.com" | summarize by UserId
What Undercode Say
Microsoft’s integration of SafeLinks into M365 Copilot Chat is a critical step in combating phishing and malicious links in AI-driven workflows. Security teams should:
– Audit SafeLinks Policies: Ensure coverage across all endpoints.
– Train Users: Even with SafeLinks, social engineering remains a risk.
– Automate Response: Use PowerShell and KQL to automate malicious URL containment.
For advanced threat hunting, combine SafeLinks logs with Defender XDR queries:
DeviceNetworkEvents | where RemoteUrl has_any ("malicious.com", "phishing.link")
Expected Output:
- SafeLinks blocking malicious Copilot Chat URLs.
- Increased visibility via Defender XDR hunting.
- Reduced click-through rates on phishing attempts.
Prediction
As AI-driven chat platforms grow, expect more attackers to target them with malicious links. Microsoft will likely expand SafeLinks to include:
– Attachment Sandboxing for Copilot file shares.
– Behavioral AI to detect suspicious link contexts.
– Cross-Platform Enforcement beyond Microsoft 365.
Stay tuned for deeper AI-integrated security features in Defender XDR.
References:
Reported By: Markolauren Defenderxdr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
