Copilot Chat Bug Bypasses DLP on 'Confidential' Email
A code error caused Microsoft 365 Copilot to bypass data loss prevention and confidentiality labels, prompting a fix rollout starting early February, Microsoft said.
- On February 18, 2026, Microsoft confirmed a bug let Microsoft 365 Copilot summarize customers' confidential emails for weeks and logged the incident as an advisory.
- The issue, traced to a code error, was first detected on January 21, 2026, with Redmond saying it caused Copilot to pick up items it should not have processed under bug CW1226324.
- In practice, the feature was summarizing emails stored in Sent Items and Drafts folders despite sensitivity labels and DLP policies, Microsoft said.
- Microsoft began rolling out a fix in early February and is monitoring the deployment while contacting a subset of affected users, though it has not disclosed a final timeline or affected customer numbers.
- In the enterprise context, Microsoft documentation shows sensitivity labels may function differently across apps, while 72 percent of S&P 500 companies cite AI as a material risk despite DLP and Microsoft Purview protections.
15 Articles
15 Articles
Microsoft says bug causes Copilot to summarize confidential emails
Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information.
When compliance becomes a mere formality, a single programming error is all it takes – and the most sophisticated security architecture collapses. That's precisely what happened with Microsoft Copilot. A bug in the code allowed the AI assistant to display confidential content from Outlook folders, even though it was protected by Data Loss Prevention and sensitivity labels. The problem wasn't […] Source
Coverage Details
Bias Distribution
- 80% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium










