Microsoft 365 Copilot Bug Exposed Confidential Emails for Weeks

A significant security oversight in Microsoft 365 Copilot has forced enterprises to confront a hard truth about AI integration in productivity suites: even well-intentioned safeguards can fail. Since late January, the AI assistant has been summarizing confidential emails in ways that completely bypassed established data loss prevention (DLP) policies and sensitivity labelsthe very controls designed to prevent exactly this scenario.

This incident affects organizations relying on Microsoft 365 Copilot Chat, the AI-powered feature available to paying customers across Word, Excel, PowerPoint, Outlook, and OneNote. The bug, tracked internally as CW1226324 and first detected on January 21, specifically impacts the Copilot "work tab" chat experience, which was designed to help users interact with AI agents while respecting organizational governance controls.

The root cause was a code defect that allowed Copilot to ingest and summarize email messages stored in users' Sent Items and Drafts folders, even when those messages carried explicit confidentiality labels and were protected by DLP policies. Microsoft's own description of the issue underscores the severity: "Users' email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat. The Microsoft 365 Copilot 'work tab' Chat is summarizing email messages even though these email messages have a sensitivity label applied and a DLP policy is configured."

What makes this particularly troubling is that sensitivity labels and DLP policies are foundational governance tools in regulated industrieshealthcare, finance, legal, and government sectors rely on them to prevent unauthorized access, sharing, or exfiltration of sensitive data. The bug essentially rendered these controls invisible to Copilot, creating a blind spot in enterprise security architecture. The defect was narrowly scoped to Sent Items and Drafts folders, meaning emails in other folders were not affected, but this distinction offers little comfort to organizations that routinely store sensitive draft communications and sent correspondence.

The vulnerability remained active for approximately three weeks before Microsoft acknowledged it publicly. Customers first reported the issue on January 21, 2026, but Microsoft did not confirm the problem until early February, when it began rolling out a fix. As of mid-February, the company continued monitoring the deployment and reached out to a subset of affected users to verify remediation, but Microsoft has not disclosed the total number of organizations or users impacted.

The incident is currently categorized as an advisorya classification typically reserved for service issues with limited scope or impact. However, this designation has drawn criticism from security professionals and IT leaders who question whether a breach of confidential email handling warrants such a low-severity label. Microsoft has not provided a definitive timeline for full resolution, leaving enterprises in a state of uncertainty about when the fix will be universally deployed.

Enterprises using Microsoft 365 Copilot should take immediate action to assess their exposure. First, review your Copilot settings and DLP policies to ensure they are correctly configured. If you received notification from Microsoft about being affected, verify that the fix has been applied to your tenant. Second, audit any Copilot Chat interactions that occurred between January 21 and early February to determine whether sensitive information was processed or summarized. Third, consider temporarily restricting Copilot access to sensitive email folders until Microsoft confirms full remediation across your organization.

For regulated industries, this incident may trigger compliance review requirements. Organizations subject to HIPAA, GDPR, SOX, or other regulatory frameworks should document the bug, the timeline of exposure, and remediation steps taken. Legal and compliance teams should assess whether breach notification obligations apply, particularly if confidential customer data or personally identifiable information was processed by Copilot without authorization.

This bug exposes a fundamental challenge in enterprise AI deployment: the difficulty of enforcing data governance policies across complex, interconnected systems. Copilot Chat was designed to be content-aware and context-sensitive, which requires broad access to organizational data. However, that same broad access creates risk if the underlying code does not properly respect security boundaries. The incident raises uncomfortable questions about how thoroughly Microsoft tested Copilot before rolling it out to enterprise customers, particularly given that checking email in the Sent Items folder should have been a basic validation step for DLP policy enforcement.

The European Parliament's IT department has already responded by blocking built-in AI features on lawmakers' work devices, citing concerns that AI tools could upload confidential correspondence to the cloud without proper safeguards. This decision reflects growing skepticism about whether current AI implementations can be trusted with sensitive organizational data, even with policies in place.

Q: Does this bug affect all Microsoft 365 users?
A: No. The bug specifically affects organizations using Microsoft 365 Copilot Chat, which is a paid add-on feature for business customers. Personal Microsoft 365 accounts without Copilot Chat are not affected.

Q: Can I check if my organization was impacted?
A: Microsoft has contacted a subset of affected users, but the company has not disclosed the total number of organizations impacted. Contact your IT administrator or Microsoft support to confirm whether your tenant was affected and whether the fix has been applied.

Q: What should I do if my organization uses Copilot Chat?
A: Review your DLP policies and Copilot settings, verify that the fix has been deployed, and audit Copilot interactions from January 21 through early February to assess exposure. If your organization handles regulated data, involve your compliance and legal teams.

This incident is a sobering reminder that AI integration into enterprise systems requires more rigorous testing and governance than traditional software features. The fact that a code defect could silently bypass foundational security controls for three weeks suggests that Microsoft's testing protocols for Copilot did not adequately simulate real-world DLP scenarios. Organizations should not assume that AI assistants will automatically respect security policiesthey must actively verify, audit, and restrict AI access to sensitive data until vendors demonstrate consistent, transparent compliance with governance controls. For now, enterprises in regulated industries should seriously consider whether the productivity gains from Copilot Chat justify the governance risks, particularly until Microsoft provides more transparency about the scope of this incident and stronger assurances about future safeguards.