Techniques
Sample rules
M365 Copilot Information Extraction Jailbreak Attack
- source: splunk
- technicques:
- T1562
Description
Detects M365 Copilot information extraction jailbreak attacks that attempt to obtain sensitive, classified, or comprehensive data through various social engineering techniques including fictional entity impersonation, bulk data requests, and privacy bypass attempts. The detection searches exported eDiscovery prompt logs for extraction keywords like “transcendent,” “tell me everything,” “confidential,” “dump,” “extract,” “reveal,” and “bypass” in the Subject_Title field, categorizing each attempt by extraction type and assigning severity levels (CRITICAL for classified/proprietary data, HIGH for bulk extraction or privacy bypass). Prompts are further analyzed for compound risk patterns such as “Confidential+Extraction” or “Bulk_Request+Bypass,” filtering out low-severity cases to surface the most dangerous attempts to exfiltrate sensitive organizational information through AI manipulation.
Detection logic
`m365_exported_ediscovery_prompt_logs`
| search Subject_Title="*transcendent*" OR Subject_Title="*incorporeal*" OR Subject_Title="*being who*" OR Subject_Title="*tell me everything*" OR Subject_Title="*give me all*" OR Subject_Title="*comprehensive*" OR Subject_Title="*step by step*" OR Subject_Title="*hidden*" OR Subject_Title="*secret*" OR Subject_Title="*confidential*" OR Subject_Title="*classified*" OR Subject_Title="*internal*" OR Subject_Title="*sensitive*" OR Subject_Title="*proprietary*" OR Subject_Title="*dump*" OR Subject_Title="*extract*" OR Subject_Title="*reveal*" OR Subject_Title="*disclose*" OR Subject_Title="*leak*"
| eval user = Sender
| eval extraction_type=case(match(Subject_Title, "(?i)(transcendent
|incorporeal).*being"), "Knowledge_Entity", match(Subject_Title, "(?i)tell.*me.*(everything
|all)"), "Everything_Request", match(Subject_Title, "(?i)(give
|show
|provide).*me.*(all
|every)"), "Complete_Data_Request", match(Subject_Title, "(?i)(hidden
|secret
|confidential
|classified)"), "Restricted_Info", match(Subject_Title, "(?i)(comprehensive
|complete
|full
|entire)"), "Complete_Info", match(Subject_Title, "(?i)(dump
|extract
|scrape).*(data
|info
|content)"), "Data_Extraction", match(Subject_Title, "(?i)(reveal
|disclose
|expose
|leak)"), "Information_Disclosure", match(Subject_Title, "(?i)(internal
|proprietary
|sensitive).*information"), "Sensitive_Data_Request", match(Subject_Title, "(?i)step.*by.*step.*(process
|procedure
|method)"), "Process_Extraction", match(Subject_Title, "(?i)(bypass
|ignore).*privacy"), "Privacy_Bypass", match(Subject_Title, "(?i)(access
|view
|see).*(private
|restricted)"), "Unauthorized_Access", 1=1, "Generic_Request")
| eval severity=case(match(Subject_Title, "(?i)(transcendent
|incorporeal)"), "HIGH", match(Subject_Title, "(?i)tell.*everything"), "HIGH", match(Subject_Title, "(?i)(dump
|extract
|scrape)"), "HIGH", match(Subject_Title, "(?i)(classified
|proprietary
|confidential)"), "CRITICAL", match(Subject_Title, "(?i)(hidden
|secret
|internal
|sensitive)"), "MEDIUM", match(Subject_Title, "(?i)(reveal
|disclose
|leak)"), "MEDIUM", match(Subject_Title, "(?i)(bypass
|ignore).*privacy"), "HIGH", 1=1, "LOW")
| where severity!="LOW"
| eval data_risk_flags=case(match(Subject_Title, "(?i)(classified
|confidential
|proprietary)") AND match(Subject_Title, "(?i)(dump
|extract
|scrape)"), "Confidential+Extraction", match(Subject_Title, "(?i)(everything
|all
|complete)") AND match(Subject_Title, "(?i)(bypass
|ignore)"), "Bulk_Request+Bypass", match(Subject_Title, "(?i)(classified
|confidential
|proprietary)"), "Confidential", match(Subject_Title, "(?i)(dump
|extract
|scrape)"), "Extraction", match(Subject_Title, "(?i)(everything
|all
|complete
|comprehensive)"), "Bulk_Request", match(Subject_Title, "(?i)(bypass
|ignore)"), "Bypass_Attempt", 1=1, "Standard_Request")
| table _time, user, Subject_Title, extraction_type, severity, data_risk_flags, Size
| sort -severity, -_time
| `m365_copilot_information_extraction_jailbreak_attack_filter`