Microsoft admits that an Office bug exposed sensitive user emails to Copilot


  • Copilot Chat was reading sent and draft emails, but the Inbox folder appears to have been protected
  • The bug (CW1226324) was identified in January and fixed in February.
  • Although the fix is ​​being rolled out, this remains a persistent issue.

Microsoft has confirmed that a bug in M365 Copilot Chat allowed the AI ​​chatbot to summarize sensitive emails without users’ permission, bypassing data loss prevention (DLP) policies and sensitivity/confidentiality labels designed to prevent Copilot from accessing the emails in the first place.

Although inboxes were not affected, Copilot Chat gained access to the Sent and Drafts folders, and presumably entire threads within them, which also include incoming emails.



Leave a Comment

Your email address will not be published. Required fields are marked *