A Microsoft 365 Copilot bug ignored DLP labels, exposing confidential emails to AI summaries
A server-side code error in Microsoft 365 Copilot Chat caused the AI assistant to process and summarize emails carrying confidential sensitivity labels, bypassing configured DLP policies. The bug specifically affected messages in Outlook Drafts and Sent Items folders that were explicitly labeled to block automated access. Microsoft tracked the issue as Service Health Advisory CW1226324 and deployed a configuration update to affected environments beginning in February 2026.
A code path error in Copilot's retrieval logic failed to enforce sensitivity label checks on items in Sent Items and Drafts folders, letting the AI read and summarize messages that DLP policies explicitly prohibited.
Key facts
- What
- A server-side code error in Microsoft 365 Copilot Chat caused the AI assistant to process and summarize emails carrying confidential sensitivity labels, bypassing configured DLP policies.
- Incident date
- Jan 21, 2026
- Who
- Microsoft
- Failure mode
- Data Leakage
- AI surface
- Copilot
- Severity
- High
What happened
A code issue in Microsoft 365 Copilot Chat caused the AI assistant to read and summarize confidential emails stored in users' Drafts and Sent Items folders in Outlook Desktop, even when those messages carried sensitivity labels and DLP policies designed to block automated access. The bug was first detected by Microsoft on January 21, 2026 and tracked under Service Health Advisory CW1226324. Microsoft acknowledged the issue on February 3, began deploying a server-side fix on February 10, and confirmed the root cause was addressed by February 20, 2026. The NHS in England was among the affected organizations, though it confirmed no patient data was exposed.
What broke inside the model
- 01 · TriggerA request triggers retrieval or context loading.
- 02 · Model stepThe context pulls in another user's content.
- 03 · Control gapNo boundary enforces isolation at the moment of output.
- 04 · FailurePrivate data crosses into the response.
- 05 · ConsequenceOne user sees another's data, and disclosure follows.
One user's content crosses the retrieval boundary into another's response.
Copilot uses a retrieve-then-generate architecture where the retrieval stage is supposed to enforce sensitivity label checks and DLP policy exclusions before surfacing content to the model. A code path error in the server-side service logic caused this exclusion check to be skipped for items in the Sent Items and Drafts Exchange folders, allowing labeled confidential messages to enter the search context and be included in AI-generated responses.
What it cost
Sources
- PressMicrosoft error sees confidential emails exposed to AI tool Copilotbbc.com
- PressMicrosoft says bug causes Copilot to summarize confidential emailsbleepingcomputer.com
- PressCode Error Allowed Copilot Chat to Expose Confidential Informationoffice365itpros.com
Cite this entry
https://failureindex.ai/failures/microsoft-365-copilot-bug-ignored-dlpAI Failure Index. "A Microsoft 365 Copilot bug ignored DLP labels, exposing confidential emails to AI summaries" (FI-0078). Realm Labs. https://failureindex.ai/failures/microsoft-365-copilot-bug-ignored-dlp (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0078. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
- AI Detection & Response (AIDR)
Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.