A bug has been causing Microsoft Copilot to read and summarise users’ confidential emails, and it’s been happening since late January.
Microsoft says the issue stems from a code error that bypassed data loss prevention (DLP) policies designed to stop sensitive information from being accessed in the first place. It was first reported by BleepingComputer.
“Users’ email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat,” Microsoft said.
Copilot Chat (Microsoft’s AI assistant built into Microsoft 365) debuted in September for business customers across Word, Excel, PowerPoint, Outlook, and OneNote. The idea is simple: let users interact with AI agents inside the tools they use every day. But in this case, the assistant appears to have overstepped its boundaries.
The flaw affects Copilot’s “work” tab, which has been automatically summarising emails in users’ “sent items” and “drafts” folders, even when those folders were explicitly marked confidential. In other words, content that had been deliberately labelled to prevent automated access was still being pulled into AI summaries. According to a service alert, those protections were effectively ignored.
Microsoft says an unspecified coding issue is to blame. The company began rolling out a fix earlier this month and, as of 18 February, said it was working directly with impacted users to confirm the patch is resolving the problem.
“A code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place,” Microsoft said.
Not the First Copilot Security Concern
This isn’t the first time Copilot has faced security concerns.
In January, researchers at Varonis disclosed an attack technique dubbed “Reprompt.” The issue reportedly allowed attackers to extract user information through a single Microsoft link, even after the Copilot chat session had been closed.
According to Varonis, “Only a single click on a legitimate Microsoft link is required to compromise victims. No plugins, no user interaction with Copilot. The attacker maintains control even when the Copilot chat is closed, allowing the victim’s session to be silently exfiltrated with no interaction beyond that first click.”
It added that the attack bypasses Copilot’s built-in guardrails that were designed to prevent such an event.
Bad actors could instruct the chatbot to summarise files a user had accessed that day and surface personal details, such as where the user lived or had travelled. Microsoft has since said that the vulnerability has been patched.
These Incidents Will Likely Surge in 2026
Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said: “With the rapid proliferation of agentic AI and AI-powered plugins for traditional software, incidents like this one will likely surge in 2026, possibly becoming the most frequent type of security incident at both large and small companies around the globe.”
According to him, most corporations are not ready to properly secure and manage AI at workplace, while both employers and employees are rapidly switching to mushrooming AI solutions in the hope of gaining some productivity. “Traditional security controls, such as DLP systems, are currently unable to reliably detect unauthorized or excessive use of AI by unwitting employees or malicious insiders. Worse, cybercriminals are already actively creating malicious AI agents and applications to steal sensitive data from users.”
AI Will be a Disaster for Privacy
Misuse of AI will also be a disaster for privacy in 2026, Kolochenko adds. “Every day, tons of sensitive personal data are shared with LLMs around the globe without any precautions. Even governmental agencies of developed countries are exposed to this risk because of inadequate or simply missing governance of AI in the workplace. Shadow AI, when employees bring their own devices with AI apps to scan or otherwise ingest confidential data, will be among the key challenges to tackle.”
In 2026, and moving forward, he says we will probably see many class-action and individual lawsuits against both tech giants and AI boutiques for unlawful collection of user data. “Some unscrupulous actors who purposely use Agentic AI to obtain valuable or confidential data will likely claim that they have been collecting the data without authorization by mistake. Whether such a defence will stand in courts depends on many factors, but AI industry will likely suffer a lot, with some AI vendors going out of business due to litigation and reputational losses.”
Lastly, he says, after a few security incidents of a sufficient scale and damage happen, like a crash of a Critical National Infrastructure (CNI) provider or a massive leak of classified documents, governments on both sides of the Atlantic will probably rush to severely regulate use of AI, possibly creating a new AI winter.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.