The Security Issue in Microsoft 365 Copilot
Organizations rely on email security settings, including Data Loss Prevention (DLP) policies and sensitivity labels, to protect confidential information. A bug in Microsoft 365 Copilot Chat's work tab feature undermined these controls. From late January, specifically starting January 21 under internal reference CW1226324, the AI assistant read and summarized emails in Outlook's Sent Items and Drafts folders, even those marked confidential.
This bypass meant restricted content was processed despite policies designed to block automated systems. Copilot, which aids in summarizing content, drafting responses, and analyzing data across Microsoft apps like Word, Excel, PowerPoint, Outlook, and OneNote, operated outside expected boundaries.
We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labeled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop. This did not provide anyone access to information they weren't already authorized to see. While our access controls and data protection policies remained intact, this behavior did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access. A configuration update has been deployed worldwide for enterprise customers.
Implications for Enterprise Security
The concern extends beyond the bug itself: AI tools require deep access to email and documents to function, yet platforms hold sensitive data. Even temporary failures can lead to unexpected processing of legal discussions, financial projections, or HR communications. Microsoft began rolling out a fix in early February and is monitoring deployment while contacting affected users, but no final remediation timeline or affected organization count has been disclosed.
Tagged as an advisory, the issue suggests limited scope, though security professionals seek more details. This highlights the challenge of integrating AI into productivity platforms without outpacing security evolution.
Practical Steps for Organizations
Organizations using Microsoft 365 Copilot should collaborate with IT to confirm accessible folders and data sources. Sensitivity labels and DLP rules must be tested to ensure they block AI processing as intended. Stay updated on Microsoft service alerts, verify fix deployment, and review audit logs for Copilot activity on labeled emails.
Recommended Actions to Mitigate Risk
- Temporarily restrict Copilot features if concerns persist until verification.
- Remind staff to handle sensitive content carefully in drafts and sent items.
- Evaluate long-term storage of sensitive drafts and consider deletion post-send.
- Opt for phased Copilot rollout starting with low-sensitivity departments.
- Reassess AI integration with compliance controls as a learning opportunity.
- Confirm confidential labels block AI processing to close configuration gaps.
Broader AI and Privacy Considerations
Enterprise AI incidents underscore questions about data access in email platforms. Privacy-focused email services with end-to-end encryption, PGP support, no ad-scanning, and disposable aliases offer alternatives to limit automated system exposure. While no provider is bug-proof, prioritizing privacy over data monetization reduces accessible information volume.
As AI embeds deeper in business tools, trust hinges on robust guardrails, transparency, rapid fixes, and communication. Organizations must ensure AI respects all set boundaries.
