Microsoft 365 Copilot Bug Exposed Confidential Emails to AI Summarisation
Microsoft has officially acknowledged a significant security flaw in its Microsoft 365 Copilot AI assistant, which has been improperly accessing and summarising confidential emails since late January. The software giant revealed that this bug could circumvent critical data loss prevention (DLP) policies that organisations implement to safeguard sensitive information.
Root Cause and Technical Details of the Vulnerability
According to Microsoft, the issue stems from a fundamental code error within the system. "A code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place," the company stated in a service alert. This vulnerability, tracked as CW1226324 and first detected on January 21, specifically affects Copilot's work tab chat feature. It was incorrectly processing emails from users' Sent Items and Drafts folders, including those marked with confidentiality labels designed to block automated tools.
Microsoft elaborated in its alert: "Users' email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat. The Microsoft 365 Copilot 'work tab' Chat is summarising email messages even though these email messages have a sensitivity label applied and a DLP policy is configured."
Response and Remediation Efforts
The company has initiated a rollout of a fix earlier this month and is actively monitoring the deployment process. Microsoft is also reaching out to affected users to verify the effectiveness of the patch. However, the tech giant has not provided a specific timeline for full remediation and has declined to disclose the exact number of users or organisations impacted. It noted that the scope of impact may evolve as the investigation progresses. The incident has been classified as an advisory, typically reserved for issues with limited scope or impact.
Background on Microsoft 365 Copilot
Copilot Chat is Microsoft's advanced, AI-powered assistant that enables users to interact with AI agents across various applications. Launched in September 2025, it was rolled out to Word, Excel, PowerPoint, Outlook, and OneNote for paying Microsoft 365 business customers, aiming to enhance productivity through content-aware assistance.
Recent Windows 11 Update Issues
In a separate but related development, Microsoft faced another technical challenge last month with the first Windows 11 update of the year. This update, identified as KB5034763, caused unexpected shutdown and restart failures for some users. The problem originated from an out-of-band update released in mid-January 2026, leading to devices running Windows 11 version 23H2 with Secure Launch enabled failing to complete these operations properly.
Microsoft acknowledged the bug, attributing it to a compatibility issue in the update process, and assured users that it did not compromise data integrity or overall system performance. The company advised affected users to install the latest cumulative update to resolve the issues, which also included connection and authentication failures in remote connection apps across multiple platforms.
This series of incidents highlights ongoing challenges in software deployment and AI integration, underscoring the importance of robust testing and swift response mechanisms in the tech industry.
