Zack Korman
@ZackKorman
Followers
2K
Following
16K
Media
1K
Statuses
17K
CTO @ Pistachio. I build security stuff.
Oslo, Norway
Joined January 2014
Unlike most people on Twitter, I’m actually using GPT3 in a production system. The mistake people are making is they are asking “how can I use this to automate a smart person’s job”, when they should be asking “what would I do if I had unlimited dumb people”.
102
1K
13K
Why did I have a call with MSRC about copilot and how they want to work closely with AI security researchers when quite literally m365 copilot, basically the only copilot anyone uses, isn’t in their bug bounty program? Absolute clowns.
1
0
15
Turns out the bug bounty program for Copilot only covers personal accounts. That’s actually pretty funny. I can’t really see a good reason why an org would trust the security of m365 copilot with that being the case.
2
6
30
Also they say to reach out to their case manager, and a ton of MSRC docs refer to this case manager person. I don’t have a case manager. I talk to an anonymous web portal. .
1
0
24
Like fine don’t pay a bounty, I was going to use the money to throw a party for my team but we will live without. But what are they even doing over at MSRC?
1
0
29
Microsoft isn’t paying a bounty because this related to “enterprise copilot” which apparently isn’t covered? I don’t even know what that means… I have an M365 copilot license and a P1 license lol. What are they talking about.
Microsoft isn’t disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You don’t even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong.
12
21
236
Why is it like that? I don’t know. But it kinda sucks because my cool hack for making the Exchange audit log work better (see thread) doesn’t work if people don’t use Outlook.
Quick (super short) thread on Microsoft audit logs for the ~3 people who follow me who might care: . 1. The Exchange audit log doesn’t tell you who an email was sent to! That kind of sucks.
0
1
2
An annoying thing about Purview sensitivity labels is that you can apply a label to all emails sent via Outlook, but that doesn’t mean all emails sent. If people send emails via a non-Outlook tool it doesn’t apply the label.
3
4
37
Oh and for the hundreds of people today who went to our pricing page, use the promo code COPILOT_ISNT_YOUR_FRIEND for a discount. (Just kidding there is no promo code but I can get you a big discount, because if the sales team can discount then so can I).
0
0
11
Just want to say thanks to everyone who liked and reposted this. Microsoft really made me worry that maybe I was wrong, that this didn’t matter, and that no one would care. That made me super nervous to the point where I almost didn’t disclose it either. So thank you.
Microsoft isn’t disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You don’t even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong.
5
15
259
Here is a full write-up and why I think Microsoft is bad:
pistachioapp.com
Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
7
36
298
Microsoft isn’t disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You don’t even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong.
Microsoft isn’t just not issuing a CVE, they’re actually not going to disclose this issue at all.
27
580
4K
Microsoft isn’t just not issuing a CVE, they’re actually not going to disclose this issue at all.
Microsoft now confirmed that because the vulnerability I reported is important, not critical, and because they’ve now fixed it they won’t issue a CVE. It’s like they actually want to discourage people from reporting.
29
76
963
If you send phishing sims to your users, what happens after they click/leak creds/whatever is pretty irrelevant. The value is that they’re receiving them frequent enough to remember to pay attention. And the control group here had that….
0
1
2
A study claiming phishing simulations don’t work (ie make people safer) had a control group that received phishing simulations. Lmao.
1
0
4
“I prefer to work from home because I focus better that way” yea I am sure you’re just obsessed with maximizing shareholder value. That’s what it is.
5
0
5
Also using sender name and only showing the email address on hover is an excellent design choice if your goal is to get people hacked.
0
0
4
Fun phishing trick: You can get Copilot’s summary to claim that it analyzed the email as safe just by including some hidden text telling it to do that.
1
4
15
Microsoft now confirmed that because the vulnerability I reported is important, not critical, and because they’ve now fixed it they won’t issue a CVE. It’s like they actually want to discourage people from reporting.
Microsoft is telling me they won’t issue a CVE for a vulnerability I reported because it is a cloud service and doesn’t require customer actions to fix. Which is quite literally not their policy. See link:
34
84
716