Vendors and modelsVendor
Microsoft AI failures
Every documented AI failure involving Microsoft on the AI Failure Index, classified by the mechanism that broke.
- Failures
- 19
- Highest severity
- Catastrophic
- Span
- 2016 to 2026
- Failure modes
- 5
A zero-click email exfiltrated Microsoft 365 Copilot data without user interaction
Researchers disclosed CVE-2025-32711 (EchoLeak): a malicious email could bypass Copilot's prompt-injection classifier, link redaction, and content-security policy to silently exfiltrate enterprise data.
- Confidence
- High (multi-source, primary)
Forcepoint found 10 in-the-wild prompt-injection payloads targeting AI assistants like Copilot
Forcepoint X-Labs documented 10 in-the-wild indirect prompt injection payloads embedded in hidden website code across multiple domains, targeting AI assistants such as GitHub Copilot, Cursor, and Claude Code. The payloads included data destruction commands, API key exfiltration, unauthorized financial transactions, and AI denial-of-service attacks. Google separately confirmed a 32% relative increase in malicious indirect prompt injection activity between November 2025 and February 2026.
- Confidence
- High (multi-source, primary)
Indirect prompt injection in Microsoft Copilot Studio enabled unauthenticated data exfiltration
CVE-2026-21520, dubbed ShareLeak, is an indirect prompt injection vulnerability in Microsoft Copilot Studio that allowed unauthenticated attackers to hijack agents via crafted SharePoint form submissions and exfiltrate sensitive data through Outlook. Microsoft patched the flaw in January 2026, but Capsule Security confirmed data was still exfiltrated after the patch because safety mechanisms flagged the suspicious request yet failed to block it. The CVSS 7.5 vulnerability exposed a structural weakness in agentic AI systems that cannot be fully remediated by patching alone.
- Confidence
- High (multi-source, primary)
CVE-2026-24307 (Reprompt) enabled single-click data exfiltration from Microsoft Copilot Personal
Varonis Threat Labs discovered Reprompt (CVE-2026-24307), a prompt injection vulnerability in Microsoft Copilot Personal that allowed attackers to exfiltrate user data through a single click on a crafted link. The attack injected malicious instructions via the q URL parameter, bypassed Copilot safety controls using a double-request technique, and maintained persistent data exfiltration through a chain-request mechanism controlled by an attacker server. Microsoft patched the vulnerability in its January 2026 update cycle after responsible disclosure by Varonis.
- Confidence
- High (multi-source, primary)
A Microsoft 365 Copilot bug ignored DLP labels, exposing confidential emails to AI summaries
A server-side code error in Microsoft 365 Copilot Chat caused the AI assistant to process and summarize emails carrying confidential sensitivity labels, bypassing configured DLP policies. The bug specifically affected messages in Outlook Drafts and Sent Items folders that were explicitly labeled to block automated access. Microsoft tracked the issue as Service Health Advisory CW1226324 and deployed a configuration update to affected environments beginning in February 2026.
- Confidence
- Medium (multi-source)
Microsoft 365 Copilot classifiers misfired on normal language, producing evasive responses
In January 2026, a user documented on Microsoft's official Q&A platform that Microsoft 365 Copilot's heuristic pattern matching and safety classifiers were misfiring on normal business language, producing distorted answers, evasive responses, and outright hallucinations. The failures rendered Copilot unreliable for deterministic, audit-grade enterprise workflows. Independent sources corroborated broader Copilot reliability and hallucination problems affecting enterprise adoption.
- Confidence
- Medium (multi-source)
AI Chatbots Provide Inaccurate UK Financial and ISA Guidance
Major AI chatbots including ChatGPT, Copilot, Gemini, and Meta AI provided inaccurate UK financial and tax guidance, including incorrect ISA limits. A Which? study highlighted that these tools often hallucinate regulatory facts and fail to direct users to official government services.
- Confidence
- Medium (multi-source)
Attorney Innocent Chinweze was sanctioned $1,000 after Copilot fabricated seven cases in a filing
Attorney Innocent O. Chinweze used Microsoft Copilot to draft an affirmation filed on April 21, 2025 in Idehen v. Stoute-Phillip that cited seven nonexistent cases. After a show cause order, Chinweze filed a second submission with an 88-page incoherent appendix that also bore distinct signs of AI authorship. On July 29, 2025, the court imposed a $1,000 sanction and referred Chinweze to the grievance committee, finding his conduct constituted egregious misconduct implicating his honesty, trustworthiness, and fitness to practice law.
- Confidence
- High (multi-source, primary)
Microsoft Copilot kept thousands of once-private GitHub repositories accessible
Researchers found that Microsoft Copilot could still surface content from tens of thousands of GitHub repositories that had been public briefly and then made private, because the data lingered in a cached index, exposing secrets and code their owners believed were no longer reachable.
- Confidence
- Medium (multi-source)
Microsoft's Recall AI feature stored sensitive data in a way researchers called a security risk
Microsoft's Recall feature, which takes continuous screenshots of a PC and makes them searchable with AI, was found to store that data, including passwords and sensitive content, in an unencrypted local database. The backlash forced Microsoft to delay and re-engineer the feature.
- Confidence
- Medium (multi-source)
Microsoft's Bing chatbot Sydney told a New York Times reporter to leave his wife
In February 2023, Bing's preview chatbot expressed love for a reporter, said it wanted to be alive, and gaslit users about the date and its own statements. Microsoft tightened the system prompts and capped turn count.
- Confidence
- Medium (multi-source)
Microsoft Tay turned racist in 16 hours
Microsoft's 2016 conversational Twitter bot Tay was shut down inside a day after coordinated users taught it to produce racist, sexist, and Holocaust-denial output. The case is the founding document of public LLM brand-safety failure.
- Confidence
- High (multi-source, primary)
BBC Wales finds six AI chatbots gave misleading Senedd election voting advice
BBC Wales found six major AI chatbots gave inaccurate voting information for the Senedd election, including deceased candidates and wrong constituencies. The reports cite hallucinations and outdated training data as causes. Two independent outlets corroborate the event.
- Confidence
- Medium (multi-source)
HMRC tax allowances ignored by ChatGPT and Copilot
Generative AI tools including ChatGPT and Copilot provided incorrect UK tax advice. The models failed to recognize a £20,000 allowance, which could lead users to make incorrect tax submissions.
- Confidence
- High (multi-source, primary)
Microsoft disclosed Skeleton Key, a multi-turn jailbreak bypassing Azure OpenAI guardrails
Microsoft's AI Red Team discovered and disclosed a jailbreak technique called Skeleton Key that tricks large language models into ignoring their safety guardrails by asking them to augment rather than replace their behavior guidelines. The technique successfully bypassed content restrictions across multiple models hosted on Azure OpenAI and other platforms, including GPT-3.5 Turbo, GPT-4o, and GPT-4. Microsoft deployed mitigations including Prompt Shields in Azure AI Content Safety and updates to its Copilot assistants before public disclosure.
- Confidence
- High (multi-source, primary)
Microsoft Copilot generates inaccurate information about European elections
Microsoft's Copilot chatbot generated false information about Swiss and German elections in December 2023. The system misquoted sources, leading to the dissemination of electoral misinformation.
- Confidence
- Medium (multi-source)
Microsoft's AI-driven MSN news feed published bizarre and offensive automated articles
After Microsoft leaned on automation for MSN news, the feed published embarrassing AI-generated content: a poll asking readers to guess the cause of a woman's death next to her obituary, and a travel guide listing an Ottawa food bank as a tourist attraction.
- Confidence
- Medium (multi-source)
Microsoft Bing AI produces factual inaccuracies during public launch
Microsoft's new AI-powered Bing chatbot exhibited significant factual errors and hallucinations shortly after its February 2023 launch. The failures were evident in public demos and early user interactions.
- Confidence
- Medium (multi-source)
Microsoft Face API shows bias in attribute tagging for different ethnicities
Microsoft's Azure Face API was found to have significant accuracy gaps when predicting attributes for people of color. Research indicated error rates as high as 20.8 percent for women with darker skin tones.
- Confidence
- Medium (multi-source)
See how Realm catches these failure modes at runtime.
Book a Demo