Microsoft Copilot Flaw Exposed Confidential Emails

A bug has been causing Microsoft Copilot to read and summarise users’ confidential emails, and it’s been happening since late January.

Microsoft says the issue stems from a code error that bypassed data loss prevention (DLP) policies designed to stop sensitive information from being accessed in the first place. It was first reported by BleepingComputer. 

“Users’ email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat,” Microsoft said.

Copilot Chat (Microsoft’s AI assistant built into Microsoft 365) debuted in September for business customers across Word, Excel, PowerPoint, Outlook, and OneNote. The idea is simple: let users interact with AI agents inside the tools they use every day. But in this case, the assistant appears to have overstepped its boundaries.

The flaw affects Copilot’s “work” tab, which has been automatically summarising emails in users’ “sent items” and “drafts” folders, even when those ...