An open redirect vulnerability in Microsoft 365 Copilot's Business Chat may allow unauthorized attackers to escalate privileges over a network.

The application contains an "open redirect" vulnerability where user-supplied input is not properly validated before redirecting the user to an untrusted site. This vulnerability can be chained with other techniques to achieve privilege escalation.

While an open redirect is often considered a lower-severity issue, the potential for privilege escalation elevates the risk profile, resulting in a CVSS score of 8.8. A successful exploit could lead to unauthorized access to sensitive corporate data within the M365 ecosystem, reputational damage, and the compromise of user accounts. The capability to escalate privileges makes this a significant threat to internal security controls.

Immediate Action: Apply all relevant Microsoft security updates immediately upon release to address the redirect flaw.

Proactive Monitoring: Monitor network and application logs for unexpected redirection patterns or users being routed to unrecognized external domains from the Business Chat interface.

Compensating Controls: Implement strict Content Security Policy (CSP) headers and maintain awareness training regarding suspicious links, even those originating from trusted internal interfaces.

Public Exploit Available: False

Microsoft 365 users should maintain a vigilant posture regarding security updates. Given the potential for privilege escalation, it is vital to apply patches as soon as they are made available by Microsoft. Organizations should also review their identity and access management policies to minimize the impact of potential privilege abuse.