In this blog I’ll share some examples of prompts you can use to check your messages for social engineering attempts. Read more about how to use Copilot as a thinking partner to spot and handle social engineering in this blog: Copilot, your social engineering thinking partner – MeretheStave
End‑user self-check (you inspecting your own messages in Outlook/Teams)
Org‑wide detection & triage (security team tooling)
Prompt examples using Source → Context → Expectation → Goal, plus guidance on which Copilot to use for each scenario.
Which Copilot should you use? ✅
A) For you to check your own email + Teams conversations (end‑user)
Use Microsoft 365 Copilot inside Outlook and Teams. It can summarize and reference the content in the thread you open Copilot from, and Teams Copilot can cite sources from the message thread.
– Outlook: Use Copilot in Outlook on specific emails/threads you’re reviewing (you control what you ask it to analyze).
– Teams: Use Copilot inside the relevant chat or channel to review what happened, which links were shared, and what looks suspicious.
Important blog nuance: Copilot is a productivity assistant. Your “phishing detection” result is a human-in-the-loop aid, not a security verdict.
B) For real phishing triage and scaling across the org (security team)
Use Microsoft Security Copilot + Microsoft Defender—specifically the Phishing Triage Agent in Microsoft Defender (for user‑reported suspicious emails). It’s designed to classify and triage reported phishing at scale and provides reasoning and evidence.
And for link protection across M365 apps (email + Teams included), the Safe Links capability in Defender for Office 365 does URL scanning and time-of-click verification in email and Teams.
– Microsoft 365 Copilot (Outlook/Teams) → personal review + awareness + safer decisions
– Microsoft Security Copilot / Defender for Office 365 → detection, triage, and policy-based protection
2) Check Outlook email (end‑user self-check)
Prompt — “Email hygiene scan (safe, non-click)”
Source: The email thread I’m viewing in Outlook (subject, sender, preview text, and any links shown as text).Context: I’m checking for phishing or social‑engineering tactics before I reply, open attachments, or click links.Expectation:- Identify red flags (e.g., urgency, authority pressure, money/credential requests, odd sender domain, link mismatch, unusual attachment types).- Rate risk as Low / Medium / High.- Give a safe verification step (how to confirm via known channels) and what to do next (ignore, verify, report).- Do not ask me to click any link or open any attachment.Goal: Decide the safest next action without getting tricked into sharing data or authenticating on a fake site.✨ Why it’s good: it sets a safety boundary (“don’t click”), forces structured output, and creates a clear decision outcome.
3) Check Teams chat/channel (end‑user self-check)
Teams Copilot works best inside the specific chat or channel, and it can catch you up on the thread and show sources.
Prompt — “Suspicious activity check in Teams”
Source: This Teams chat/channel thread (messages from the last 30 days, unless I specify another timeframe).Context: I want to spot social‑engineering patterns in messages, links, or requests shared in this conversation.Expectation:- Summarize any messages that include requests for credentials, payments, gift cards, urgent “account” actions, or unusual file/link sharing.- List links that were shared and highlight anything that looks off (shorteners, look‑alike domains, mismatched display text).- Rate risk (Low/Medium/High) and name the likely tactic (urgency, authority, reciprocity, fear, curiosity, scarcity).- Recommend the safest next step (verify identity, report, move to secure channel, ask for a call-back using a known number).Goal: Avoid acting on a deceptive request and help the team handle suspicious messages consistently.4) Template for one “combined” prompt (email + Teams) :
Use this as a template:
Source: I will provide either (a) an email snippet or (b) a Teams message snippet, including sender, timestamp, and any links as text.Context: I’m learning to recognize phishing and social engineering in everyday work communication.Expectation:- Identify 3–5 red flags (if any).- Label the tactic (urgency, authority, impersonation, fear, reward, curiosity).- Give a risk rating (Low/Medium/High).- Provide a “safe next step” checklist: verify the sender, validate the request out-of-band, and report appropriately.- Never instruct me to click links, open attachments, or share credentials.Goal: Make a safe decision and improve my pattern recognition over time.Phising risks and mitigations
New research has highlighted that AI summaries can be a target for prompt injection (hidden instructions inside content that tries to manipulate the assistant’s output), especially around email/chat summarization scenarios.
👀Researchers Uncover New Phishing Risk Hidden Inside Microsoft Copilot
I recommend:
– Treat AI output as a second opinion, not a verdict
– Always verify identity + link destinations via known channels
– Use Defender/Security tooling for actual detection and enforcement
Prompt card for social engineering attempt
🧠 Prompt Card: Check Emails and Teams Messages for Social Engineering
Use this prompt with Microsoft 365 Copilot in Outlook or Teams to help you spot phishing and social‑engineering tactics before you click, reply, or share information.
🔍 What this prompt is for
– Reviewing emails or Teams messages that feel a bit off
– Learning to recognize common social‑engineering patterns
– Making safer decisions in your day‑to‑day work
⚠️ This is a human‑in‑the‑loop safety check, not a replacement for security tooling.
📌 The Prompt (copy & paste)
Source:The email or Teams message I’m reviewing (sender, subject, message text, and any links shown as text).Context:I want to check whether this message uses phishing or social‑engineering tactics before I take any action.Expectation:- Identify possible red flags (for example: urgency, authority pressure, fear, rewards, requests for credentials, payments, or unusual links).- Name the likely social‑engineering tactic, if any.- Rate the risk as Low / Medium / High.- Recommend the safest next step (verify via known channels, report, ignore, or escalate).- Do not ask me to click links, open attachments, or share credentials.Goal:Help me decide the safest way to handle this message and improve my ability to recognize social‑engineering attempts over time.✅ How to use it
– In Outlook: Open the email → open Copilot → use the prompt
– In Teams: Open the relevant chat or channel → open Copilot → use the prompt
– Manually: Paste a message snippet into Copilot Chat and run the prompt
🛡️ Pro tip
Treat Copilot’s response as guidance, not a verdict.
If something involves money, access, identity, or urgency:
– Pause
– Verify the sender via a known, out‑of‑band channel
– When in doubt, report it
Resources and links:
– Cooking up a great prompt: Getting the most from Copilot – Microsoft Support
Use Copilot in Microsoft Teams chat and channels – Microsoft Support
– Use Copilot in Microsoft Teams chat and channels – Microsoft Support
– Security Copilot Phishing Triage Agent in Microsoft Defender – Microsoft Defender XDR | Microsoft Learn