Microsoft Copilot Bug Bypassed DLP Policies, Exposed Confidential Emails

https://x.com/TheHackersNews/status/2025865562665144729?s=20 ↗

🌐 x.com 🕐 Under 1 min 📝 50 words 🌍 EN 📅 Feb 23, 2026 6:43 pm

microsoft copilot security dlp data-privacy ai vulnerability Open Link ↗

Microsoft says a Copilot bug (CW1226324) let Microsoft 365 Copilot summarize confidential emails, bypassing DLP policies.

Since Jan 21, 2026, emails in Sent Items and Drafts with sensitivity labels were processed in Copilot Chat without permission.

Microsoft fixed the issue on… pic.twitter.com/Omj2Mg1p7N
— The Hacker News (@TheHackersNews) February 23, 2026

View on X ↗

Editor's Synopsis

Microsoft disclosed a bug in Microsoft 365 Copilot (tracked as CW1226324) that allowed the AI assistant to summarize confidential emails in violation of Data Loss Prevention (DLP) policies. Starting January 21, 2026, emails stored in Sent Items and Drafts folders that carried sensitivity labels were being processed by Copilot Chat without proper permission checks.

This vulnerability is significant because it undermines the trust organizations place in sensitivity labels and DLP controls to protect confidential information. Microsoft has since fixed the issue, but the incident highlights the ongoing challenges of integrating AI tools like Copilot with existing enterprise security frameworks, where a single bug can inadvertently expose sensitive data at scale.