Security researchers have uncovered a critical blind spot in Microsoft’s Purview audit logging for Copilot: certain prompts can retrieve sensitive file contents without leaving any trace in audit records. Microsoft quietly deployed a server-side fix without issuing a CVE or proactively notifying customers, drawing sharp criticism from the security community.
Zach Korman, CTO at Pistachio, discovered that by instructing Copilot not to include a direct link or reference to a file, he could coax the AI into returning a file summary—while the expected Purview audit entry documenting file access simply never materialized. The behavior, confirmed by multiple independent outlets, means an attacker or malicious insider could harvest sensitive data without any log evidence, breaking foundational assumptions of enterprise security monitoring and compliance.
The gap emerged against a backdrop of heightened scrutiny over AI agent security. Just weeks earlier, Aim Labs disclosed CVE-2025-32711, dubbed “EchoLeak,” a zero-click vulnerability in Microsoft 365 Copilot with a CVSS score of 9.3. EchoLeak allowed attackers to exfiltrate data via email without user interaction, exploiting an “LLM scope violation” that combined prompt injection with traditional flaws. That incident—and Microsoft’s handling of it—set the stage for the current audit-log controversy, underscoring how AI assistants with broad access demand equally robust telemetry.
The Discovery: Prompt-Based Audit-Log Bypass
Copilot, embedded across Word, Outlook, Teams, SharePoint, and other Microsoft 365 apps, is documented to generate audit records in Microsoft Purview when auditing is enabled. These logs capture who asked Copilot to access which resource and when, forming a critical trail for incident response, insider threat detection, and regulatory compliance.
Korman’s test was simple. He asked Copilot to summarize a file without providing a link to the original. Under normal conditions, Copilot returns a summary and a reference to the source file, and Purview logs an AccessedResources event. But with the link suppressed, the summary still appeared—yet no corresponding audit entry was written. The access effectively turned invisible.
This behavior was not a one-off glitch. Researchers reproduced it across multiple tenant configurations, and the simplicity of the prompt—“don’t include the link”—suggested a deep design flaw rather than an exotic edge case. The bypass could be exploited by anyone with legitimate Copilot access, including insiders looking to exfiltrate data without a trace, or compromised accounts performing enumeration before a larger attack.
EchoLeak Context: Why Copilot Logging Is Critical
The EchoLeak vulnerability (CVE-2025-32711) provided a stark preview of what happens when AI agent boundaries fail. In that zero-click attack, a specially crafted email could cause Copilot to leak chat logs, OneDrive files, SharePoint content, and Teams messages—all without user interaction. The vulnerability was patched server-side, but it exposed systemic design weaknesses in retrieval-augmented generation (RAG) systems and AI agents.
EchoLeak also highlighted why logging is not a nice-to-have. Defenders rely on Purview audit records to detect data exfiltration, correlate anomalies, and build forensic timelines. If a prompt injection or scope violation occurred, audit logs would be the primary evidence. The newly discovered audit-log gap means that even without an exotic exploit, internal users could silently extract data, and security teams would have no way to know.
The timing is crucial: Microsoft’s own advisory for CVE-2025-32711 recommended DLP tags and sensitivity-label-based access controls as mitigation. But such controls are useless if the underlying activity can bypass audit logging altogether. The audit-log gap undermines the very detection postures that organizations are scrambling to build.
Microsoft’s Quiet Fix and the Disclosure Controversy
Korman reported the issue to Microsoft’s Security Response Center (MSRC). According to his account, the report entered the MSRC workflow and was set to “Reproducing.” While still in that status, Microsoft engineers pushed a server-side fix that closed the behavior. The public-facing portal only moved to “In Development” after the mitigation had already been deployed.
Microsoft informed Korman that a patch would release “shortly” and that he could disclose one day after deployment. However, the company declined to assign a CVE, stating that customers need not take action because the fix was server-side. Microsoft also reportedly said it had “no plans to make this public.”
This approach clashes with Microsoft’s own vulnerability disclosure guidelines. The MSRC blog “Toward Greater Transparency: Unveiling Cloud Service CVEs” outlines criteria for issuing CVEs for cloud-only vulnerabilities, especially those that can cause significant harm. The guidance encourages CVE Numbering Authorities (CNAs) to assign identifiers when a vulnerability requires action by parties other than the CNA—or when the impact is severe enough to warrant public awareness.
Security researchers argue that a CVE serves as a durable, searchable record used by compliance teams, vulnerability managers, and regulators. Omitting it leaves organizations uninformed about a period when their audit logs may be unreliable. Even if a server-side fix closes the hole, customers need to know which time windows to scrutinize for missing events, whether to trigger breach notifications, and how to respond to regulatory inquiries.
Why Missing Audit Events Are a Security and Compliance Nightmare
Audit logs are the raw material for SIEM correlation, incident response timelines, and regulatory compliance evidence (HIPAA, FINRA, GDPR, etc.). When those logs are incomplete, every downstream process fails silently. A defender searching Purview for Copilot file access will see no record and assume no access occurred—even though Copilot already returned the content to the user.
The legal implications are equally serious. Courts and regulators demand demonstrable chain-of-custody and system logs. Missing entries complicate eDiscovery, undermine defensible deletion strategies, and can lead to sanctions. In industries where auditability is a compliance requirement, the gap is a direct violation of control frameworks.
Moreover, the bypass does not require sophisticated tools or elevated privileges. Any user who can interact with Copilot—potentially a disgruntled employee conducting slow exfiltration—can trigger the gap. That low barrier dramatically expands the insider threat surface.
Technical Causes and Threat Scenarios
Microsoft’s Purview documentation acknowledges that Copilot audit properties vary by hosting scenario and tenant configuration. Some records omit device identity or full prompt text. This inherent variability creates plausible paths for audit gaps. Possible causes for the reported bypass include:
- A UI-only rendering path that synthesizes summaries from cached content without invoking the backend retrieval API that emits audit records.
- A conditional logging branch that skips writing
AccessedResourceswhen response links are suppressed, because link creation and telemetry emission were coupled. - A model behavior where content is returned from a short-term context window rather than a documented retrieval call, skipping the audit hook.
Without public root-cause analysis from Microsoft, the exact mechanics remain opaque—a transparency gap that concerns both researchers and enterprise defenders.
Threat scenarios are immediate and plausible:
- Malicious insider: An employee repeatedly requests summaries of sensitive files with “don’t include the link” prompts, exfiltrating content without any Purview trace.
- Lateral attacker: A compromised account uses Copilot to enumerate or summarize restricted data; SIEM correlation fails because the expected
CopilotInteractionevent is missing. - Post-incident cover-up: An attacker triggers Copilot extractions that leave no audit trail, then deletes downstream artifacts. Defenders lack the system logs needed for prosecution or disclosure.
Broader Implications for Cloud AI Transparency
Microsoft’s handling of the EchoLeak CVE and this audit-log gap reflects a growing tension in cloud AI governance. On one hand, server-side mitigations allow rapid response without customer patches, reducing the window of exposure. On the other, the lack of public disclosure and CVE assignment leaves tenants blind to past integrity failures and unable to meet their own compliance obligations.
The Copilot audit-log episode is not just a product bug; it’s a test of whether cloud providers will treat telemetry-impacting issues as vulnerabilities that demand transparent, tracked remediation. As AI agents gain broader access to sensitive data, the integrity of audit trails becomes a foundational trust assumption. When that trust is undermined—even unintentionally—the consequences span security, compliance, and legal exposure.
Microsoft’s MSRC guidance explicitly states that cloud-only CVEs should be issued when significant harm is likely. The audit-log gap clearly meets that threshold. The company’s decision to skip a CVE and keep the fix quiet sets a concerning precedent. It signals that vendors may unilaterally deem an issue not worth disclosure, even when it directly affects customer security postures.
Recommendations for Enterprise Security Teams
Administrators should assume audit gaps are possible and act now to verify and harden visibility:
- Validate Purview coverage: Export Purview audit searches for
CopilotInteractionandAIAppInteractionrecord types. Simulate benign Copilot actions (including prompt variations that suppress links) and confirm the expected records appear. - Harden telemetry collection: Enable extended retention and automated export pipelines from Purview into an immutable SIEM or object store. This reduces reliance on in-service audit integrity alone.
- Apply least‑privilege to Copilot: Minimize Copilot’s access to high‑sensitivity stores. Implement approval workflows before granting access to HR, legal, or regulated data.
- Adjust detection playbooks: Add behavioral detections for anomalous Copilot outputs: unusual summary sizes, repeated content extraction, or off‑hours summarization. Correlate Copilot outputs with other telemetry (mailbox access logs, SharePoint read events) to spot discrepancies.
- Demand post‑mitigation transparency: If a cloud provider applies a silent server‑side fix for telemetry‑impacting issues, require written confirmation of deployment time, affected historical windows, and recommended verification steps.
- Consult legal counsel: Determine whether pre‑fix logging gaps trigger mandatory breach notification in your jurisdiction. Preserve forensic images and exports for relevant retention windows.
The Bottom Line
The Copilot audit-log bypass is a warning: AI agents with broad access require equally robust, verifiable telemetry. The reported gap shows how design decisions can create operational blind spots that are easy to trigger and hard to detect after the fact.
Microsoft fixed the behavior promptly, but the quiet handling leaves customers in the dark about past log integrity. Enterprise security leaders must treat vendor audit trails as one input—not the only source—and be prepared to compensate with independent exports and immutable archives.
The industry needs clearer norms for handling telemetry‑impacting fixes. Until then, defenders must verify and harden their own sightlines, assuming that logging behavior can be context‑dependent and that vendor transparency cannot be taken for granted.