🟠High  | Source: Microsoft Security Response Center
A vulnerability in Microsoft 365 Copilot’s Business Chat allows attackers to exploit an open redirect flaw, redirecting users to malicious sites without authentication. This can be leveraged to elevate privileges over a network, potentially enabling account takeover or credential theft. The risk is heightened given the widespread enterprise adoption of Microsoft 365 Copilot.
Security Architect’s Take: Review and restrict access to Microsoft 365 Copilot’s Business Chat where not business-critical, and ensure conditional access policies and phishing-resistant MFA are enforced. Monitor Microsoft’s update guidance and apply any available patches or mitigations promptly, particularly in environments where Copilot has broad data access.
Original advisory: CVE-2026-47645 Microsoft 365 Copilot’s Business Chat Elevation of Privilege Vulnerability