Microsoft says Copilot was summarizing confidential emails without permission

A Copilot Chat bug in Microsoft 365 pulled and summarized emails marked confidential, bypassing data loss prevention policies. Microsoft has deployed a fix, but the incident highlights new risks that come with AI assistants in the workplace.

·7 min read
Microsoft Copilotcybersecuritydata loss preventionenterprise AI

Copilot summarized confidential emails it should not have touched

Microsoft says a bug in Microsoft 365 and Copilot caused the AI assistant to summarize emails that were labeled confidential, despite organizational safeguards meant to prevent exactly that. The issue reportedly bypassed data loss prevention, or DLP, policies that enterprises use to keep sensitive information from being shared or processed inappropriately.

The problem affected Copilot Chat, the conversational assistant embedded across Microsoft 365. In Microsoft’s documentation, the company says confidential emails were "incorrectly processed by Microsoft 365 Copilot chat".

Copilot Chat rolled out to Microsoft 365 apps like Word, Excel, Outlook, and PowerPoint for enterprise users last fall. It is pitched as a content-aware assistant that can draft, summarize, and answer questions using a user’s work context. As tech companies build AI into nearly every tool, these assistants introduce new cybersecurity and compliance risks, from prompt injection to accidental policy bypasses.

What Microsoft and reports say happened

The issue, tracked internally as CW1226324, was first detected on Jan. 21 and impacts Copilot’s work tab chat feature, according to reporting from Bleeping Computer. Microsoft’s advisory indicated Copilot Chat was pulling in and summarizing emails in users’ Sent Items and Drafts folders, even when those messages carried sensitivity labels designed to block automated access.

In practical terms, content that should have been off-limits was not. Microsoft confirmed that a code issue was responsible and said a fix began rolling out in early February. The company is monitoring the deployment and contacting some affected customers to verify that the patch is working.

Microsoft has not disclosed how many organizations were impacted. The scope may change as the investigation continues.

Why this matters for enterprise security and compliance

DLP policies and sensitivity labels are foundational controls. Organizations depend on them to prevent unauthorized sharing, processing, or export of confidential data. When an AI assistant bypasses those controls, it erodes trust in the entire data governance stack.

Copilot is designed to understand work context, which is useful for productivity, but that same design can expand the blast radius of a bug. If sensitive content is accessible across apps and locations, then any misconfiguration or code defect can have cross-application consequences.

This incident underscores a broader truth: AI systems introduce new pathways for data leakage. Even when policies exist, enforcement must consistently apply across the AI layer, the application layer, and the data layer. Otherwise, sensitive information can slip through gaps at integration points.

How the bug surfaced and what it reveals

The affected capability sits inside Copilot’s work-focused chat. By design, it can reference recent emails and documents to answer questions and create summaries. In this case, Copilot reportedly incorrectly ingested and summarized protected emails, ignoring sensitivity labels in Sent and Drafts.

Two important lessons stand out. First, labels and DLP rules must bind at the AI interaction layer, not just at storage or transport. Second, content-aware assistants need strict guardrails about what they can access and under what conditions, especially when users query broad categories like "summarize my drafts" or "what did I send last week".

Even when the root cause is a code issue, the downstream effect touches legal, compliance, and risk teams. Any AI feature that synthesizes or retrieves information should be treated as a potential data egress channel.

The bigger picture: AI assistants add attack surface

Security teams already worry about prompt injection, where malicious or crafted content can steer an AI model to reveal or act on information it should not. They also monitor for context overreach, where assistants reach beyond intended data scopes because of overly broad permissions or weak policy mapping.

On top of that, model output can inadvertently expose sensitive metadata or summary details, even if raw content remains inaccessible. This is why AI governance must include output controls, prompt and response logging, and post-processing filters that respect sensitivity labels.

The Copilot incident is a reminder that productivity gains come with new responsibilities. Enterprises need to validate that policy enforcement is consistent when an AI feature touches email, documents, and chat, not just when a user clicks send or download.

Immediate steps for admins and security teams

If your organization uses Copilot Chat or similar AI tools, take a practical approach to risk reduction while the fix deploys and settles.

  • Verify the patch. Confirm the fix has reached your tenant and test with non-sensitive content labeled confidential to ensure Copilot Chat behavior aligns with policy.
  • Run DLP and sensitivity label drills. Create test cases across Sent, Drafts, and shared folders to check enforcement at the AI layer, not just in the email client.
  • Audit Copilot Chat permissions. Review data access scopes for the work tab. Limit access to only what is necessary for business tasks.
  • Enable detailed logging. Capture prompts, responses, and retrieval events. Set alerts for AI interactions that touch labeled content.
  • Harden prompts and templates. Avoid broad queries like "summarize all drafts". Encourage scoped prompts that reference specific documents or threads.
  • Review connectors and integrations. Ensure third party or internal data sources respect labels and cannot be used as side doors into protected content.
  • Educate users. Share clear guidance on what Copilot should and should not be used for when handling confidential materials.
  • Define a kill switch. Be ready to disable specific Copilot features temporarily if you detect policy bypasses or anomalous summaries.
  • Update incident response plans. Include AI-assisted data access in your playbooks and tabletop exercises.

Questions to ask your AI vendors

Incidents like this justify deeper due diligence on how AI assistants respect enterprise controls.

  • Policy binding: How are sensitivity labels and DLP rules enforced at the AI interaction and output layers, not just storage?
  • Isolation and context: What safeguards prevent an assistant from overreaching into unrelated mailboxes or folders?
  • Testing and assurance: What red teaming, regression tests, and model evaluations cover policy bypass scenarios?
  • Observability: What logs and dashboards show AI retrievals, summaries, and policy enforcement decisions?
  • Controls and toggles: Can admins disable or restrict specific retrieval behaviors and summary features by data type or label?
  • Scope disclosure: How will vendors communicate the impact and timeline of fixes, and will customers be proactively notified?

Balancing productivity and trust

AI assistants like Copilot can save time by drafting emails and summarizing long threads. The value is real, but only if users trust that confidential information stays confidential. Consistent policy enforcement, transparent documentation, and quick remediation are essential.

Enterprises should align IT, security, legal, and compliance teams on AI governance. That includes risk-based rollouts, staged access, and regular audits. Trust builds when vendors show clear guardrails and customers verify them in practice.

What to watch next

Microsoft has started rolling out a fix and says it is monitoring deployments and contacting some affected users to verify the patch. The company has not said how many organizations were impacted, and the scope may change as its investigation continues.

Expect more scrutiny of how AI assistants interact with protected content across email and documents. Industry guidance from groups like NIST and ISO is evolving, and security teams are adopting stronger evaluative testing for AI features. As productivity suites add more AI capabilities, governance maturity will become a competitive differentiator.

Key takeaways

  • A Copilot Chat bug summarized confidential emails by bypassing DLP and sensitivity labels in some Microsoft 365 enterprise environments.
  • Microsoft has deployed a fix and is monitoring and verifying the patch with affected users, but has not disclosed the incident’s full scope.
  • AI assistants expand attack surface, introducing risks like prompt injection, context overreach, and policy inconsistencies across layers.
  • Enterprises should test enforcement at the AI layer, audit permissions, tighten prompts, and enable robust logging and alerting.
  • Trust in AI at work depends on consistent guardrails and clear communication from vendors, backed by customer verification and governance.
Tags#Microsoft Copilot#cybersecurity#data loss prevention#enterprise AI#compliance
Tharun P Karun

Written by

Tharun P Karun

Full-Stack Engineer & AI Enthusiast. Writing tutorials, reviews, and lessons learned.

Related Reading
AIFeb 19, 2026

AI Coding Tools Flood Open Source With Low-Quality Code

Open-source maintainers are seeing a surge of AI-generated pull requests that compile but fail on architecture, maintainability, and security. Speed has gone up, but merge quality and reviewer bandwidth are under strain, exposing a growing gap between code generation and sustainable software development.

9 min readRead →
AIFeb 19, 2026

Claude Opus 4.6 crushes benchmarks with a 1M-token beta window: what it means and why it matters

Anthropic's Claude Opus 4.6 posts state-of-the-art scores across coding and reasoning benchmarks while debuting a 1M-token beta context window. Here is what changed, why long-context matters, and how new safety checks and developer features shape real-world use.

10 min readRead →
AIFeb 14, 2026

5 signs of an AI bubble to watch for

AI is fueling real investment and profits, but pockets of excess can still form. Here are five market signals that help distinguish durable growth from bubble risk, plus what is and is not flashing red right now.

9 min readRead →
← Back to all posts
Published February 19, 2026