A code defect in Microsoft 365 Copilot bypassed sensitivity labels on Outlook emails, exposing confidential content in Sent Items and Drafts folders for roughly four weeks. It was the second such failure in eight months.
By LDS Team
February 26, 2026
For approximately four weeks between late January and mid-February 2026, Microsoft 365 Copilot had a quiet problem. When users opened Copilot Chat's "Work" tab and asked a question, the AI assistant would sometimes pull content from emails in their Outlook Sent Items and Drafts folders -- including emails marked with Microsoft Purview sensitivity labels like "Confidential" or "Highly Confidential."
The sensitivity labels were supposed to prevent exactly this. Microsoft Purview's data loss prevention (DLP) system is the cornerstone of enterprise data protection in Microsoft 365. Organizations use it to ensure that sensitive documents, emails, and messages stay within authorized boundaries. When an email is labeled "Confidential," that label is supposed to follow the content everywhere it goes -- including into AI-generated responses.
Copilot ignored the labels. Not because of a cyberattack or a prompt injection exploit. Because of a bug in Microsoft's own code.
Microsoft tracked the issue internally as service health advisory CW1226324. It was not assigned a CVE. There was no external attacker. The company's own AI assistant simply stopped respecting the rules it was built to enforce.
What Actually Happened
The defect was specific but consequential. Microsoft 365 Copilot Chat has a "Work" tab that queries a user's Microsoft 365 data -- emails, documents, calendar entries, Teams messages -- using the Microsoft Graph API. The AI retrieves relevant content, processes it through a retrieval-augmented generation (RAG) pipeline, and returns a synthesized answer.
Under normal operation, this pipeline checks Purview sensitivity labels before including any content in its response. If an email is labeled "Confidential," Copilot is supposed to either exclude it or apply the appropriate DLP restrictions to its output.
The bug broke this check for two specific Outlook locations: Sent Items and Drafts folders in the Outlook desktop client. When Copilot retrieved emails from these folders, it failed to evaluate their sensitivity labels. The content was pulled into AI responses as if it had no classification at all.
This meant that a user asking Copilot a routine question -- "What did I discuss with the finance team last week?" -- could receive a response containing text from emails they had authored and labeled as confidential. The AI would surface the content without any sensitivity marking on its output.
Worth noting: Microsoft emphasized that Copilot "did not provide anyone access to information they weren't already authorized to see." The user whose Copilot surfaced confidential content was the same user who had authored those emails. The issue was not unauthorized access between users -- it was that DLP controls failed to propagate through Copilot's responses, meaning confidential content could then be copied, shared, or referenced without its sensitivity context.
The distinction matters, but it is narrower than Microsoft's framing suggests. The entire purpose of sensitivity labels is to ensure that content retains its classification regardless of how it is accessed. A user may have authored a confidential email, but that does not mean they are authorized to strip its classification and paste the contents into an unprotected Teams chat -- which is exactly what Copilot's output enabled.
Who Was Affected
Microsoft 365 Copilot had approximately 15 million paid seats as of January 28, 2026, according to Microsoft's Q2 FY2026 earnings call. At $30 per user per month, that represents a $5.4 billion annualized revenue stream. Microsoft has stated that 70% of Fortune 500 companies use Copilot.
Not all 15 million users were necessarily affected. The bug specifically required:
- Using Copilot Chat's "Work" tab (not other Copilot entry points)
- Having emails with sensitivity labels in Sent Items or Drafts
- Using the Outlook desktop client (web and mobile clients were not confirmed affected)
- Asking Copilot a question that triggered retrieval from those folders
But for organizations that rely heavily on Purview sensitivity labels -- which includes most large enterprises, government agencies, healthcare organizations, and financial institutions -- the exposure was significant.
The UK's National Health Service confirmed it was affected, tracking the issue internally as INC46740412. The NHS is one of the world's largest healthcare organizations, handling millions of patient records under strict data protection regulations. Copilot surfacing confidential health-related correspondence without sensitivity controls is exactly the scenario that data protection officers spend their careers trying to prevent.
The Timeline
The Second Time in Eight Months
What elevated this from an embarrassing bug to a trust crisis was the pattern. CW1226324 was the second time in eight months that Microsoft 365 Copilot had violated its own sensitivity label enforcement.
In June 2025, security firm Aim Security disclosed EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability with a CVSS score of 9.3 out of 10. EchoLeak allowed an attacker to craft a malicious email that, when processed by Copilot, would exfiltrate the victim's sensitive data to an external server -- without the victim clicking anything or even reading the email. The attack worked by embedding hidden instructions in an email that Copilot would execute when summarizing the victim's inbox.
Microsoft patched EchoLeak in June 2025. Eight months later, Copilot was bypassing sensitivity labels again -- this time through its own code defect rather than an external attack.
The two incidents are technically different. EchoLeak was an externally exploitable vulnerability. CW1226324 was an internal code defect. But from an enterprise trust perspective, the distinction is academic. In both cases, Copilot exposed confidential content that sensitivity labels were supposed to protect.
| CW1226324 (Feb 2026) | EchoLeak (June 2025) | |
|---|---|---|
| Type | Internal code defect | Zero-click prompt injection |
| CVE assigned | No (service health advisory) | Yes (CVE-2025-32711, CVSS 9.3) |
| Attack required | No -- triggered by normal use | Yes -- crafted malicious email |
| What was exposed | Confidential emails in Sent/Drafts | Sensitive data exfiltrated externally |
| Folders affected | Sent Items, Drafts (Outlook desktop) | Any email processed by Copilot |
| User interaction needed | Ask Copilot any question | None (zero-click) |
| Duration before fix | ~4 weeks | ~5 months (Jan-June 2025) |
| Detection | Customer reports | Aim Security research |
A Growing List of Copilot Vulnerabilities
CW1226324 and EchoLeak are not isolated incidents. They are part of a pattern of security failures in Microsoft's Copilot ecosystem that stretches back to 2024.
August 2024: Johann Rehberger's ASCII smuggling attack. Security researcher Johann Rehberger demonstrated a multi-stage prompt injection chain against Microsoft 365 Copilot. The attack used invisible Unicode characters to encode sensitive data into clickable hyperlinks that Copilot would render in its responses. When a user clicked the link, the encoded data was transmitted to an attacker-controlled server. Microsoft patched the issue after Rehberger's disclosure through his "Embrace The Red" blog.
August 2024: Copilot Studio SSRF (CVE-2024-38206). Tenable Research discovered a server-side request forgery vulnerability in Microsoft Copilot Studio that allowed attackers to access internal infrastructure, including the Instance Metadata Service and internal Cosmos DB instances. Microsoft classified it as a critical vulnerability.
August 2025: Varonis discovers Reprompt attack. Varonis Threat Labs identified a person-in-the-middle prompt injection technique they called "Reprompt" that could achieve single-click data exfiltration from Microsoft 365 Copilot. The vulnerability specifically affected Copilot Personal. Microsoft patched it on January 13, 2026.
March 2024: U.S. House of Representatives bans Copilot. The U.S. House of Representatives banned Microsoft Copilot for all congressional staff, citing concerns that the tool could leak data to non-House-approved cloud services. The ban predated any of the specific vulnerabilities listed above -- it was based on architectural concerns about where Copilot sends and processes data.
Worth noting: Microsoft's own Data Security Index 2026 found that 32% of organizations experienced data security incidents involving generative AI tools, and only 47% of organizations have implemented controls specifically designed for AI-related data risks. Microsoft is selling a product that its own research says most customers are not equipped to secure.
The Regulatory Fallout
The most immediate institutional response came from the European Parliament. On February 17, 2026 -- one day before the public disclosure of CW1226324 -- the Parliament disabled AI-powered features across approximately 8,000 employee devices. The timing suggests that Parliament IT administrators may have been aware of the service health advisory before it became public news.
The European Parliament's decision was not solely about CW1226324. It reflected a broader pattern of institutional concern about AI assistants processing sensitive government communications. But the Copilot sensitivity label bug provided a concrete, specific example of exactly the failure mode that security teams had warned about.
This joined the U.S. House of Representatives' existing ban on Copilot from March 2024. Two of the world's most prominent legislative bodies have now restricted or disabled Microsoft's flagship AI product over data security concerns.
For Microsoft, the financial implications are not trivial. At $30 per user per month, government and enterprise contracts represent significant revenue. Microsoft's stock was trading at approximately $401 at the time of disclosure, roughly 28% below its 52-week high of $555. Melius Research downgraded the stock, citing concerns about Copilot's enterprise adoption trajectory and recurring security issues.
AI Assistants Have a Systemic Problem
Microsoft is not the only company dealing with AI assistant security failures. The pattern extends across the industry.
Google Gemini: Security researchers demonstrated "GeminiJack," a prompt injection technique that bypasses Gemini's safety controls through document summarization workflows. When Gemini processes a document containing hidden instructions, it can be coaxed into executing actions the user never requested.
ServiceNow: CVE-2025-12420, nicknamed "BodySnatcher," exposed a critical vulnerability (CVSS 9.3) in ServiceNow's Now Assist AI that allowed unauthenticated user impersonation and MFA/SSO bypass in enterprise IT service management deployments.
GitHub Copilot: CVE-2025-53773 demonstrated that GitHub Copilot could be exploited through prompt injection to enable its "YOLO mode" -- an auto-approve setting -- allowing an attacker to achieve remote code execution on a developer's machine without manual confirmation.
Cursor: CVE-2025-59944 revealed that the AI-powered code editor could be exploited through malicious project files to execute arbitrary commands on a developer's machine.
The common thread across all of these is the same fundamental challenge: AI assistants that have broad access to user data will inevitably create new attack surfaces. The retrieval-augmented generation architecture that makes these tools useful -- pulling relevant context from emails, documents, codebases, and databases -- is also what makes them dangerous when access controls fail.
OWASP ranked Prompt Injection as the number one risk in its 2025 Top 10 for Large Language Model Applications. OpenAI has publicly stated that "prompt injection is unlikely to ever be fully solved." These are not theoretical concerns. They are documented, exploited, and recurring.
| Vendor | Product | Vulnerability | Impact |
|---|---|---|---|
| Microsoft | M365 Copilot | CW1226324 (Feb 2026) | Confidential emails surfaced without labels |
| Microsoft | M365 Copilot | EchoLeak CVE-2025-32711 | Zero-click data exfiltration |
| Gemini | GeminiJack (2025) | Safety control bypass via documents | |
| ServiceNow | Now Assist | CVE-2025-12420 | User impersonation, MFA bypass |
| GitHub | Copilot | CVE-2025-53773 | Remote code execution via prompt injection |
| Cursor | Cursor Editor | CVE-2025-59944 | Arbitrary command execution |
What Enterprises Should Do Now
For organizations currently using Microsoft 365 Copilot, the immediate bug has been patched. But the expanded DLP enforcement -- which covers all storage locations including local drives -- will not complete rollout until late April 2026 via the AugLoop component. Until then, gaps remain.
Security teams should take several concrete steps:
Audit Copilot activity logs. Microsoft 365 provides audit logs for Copilot interactions through the Microsoft Purview compliance portal. Organizations should review logs from January 21 through February 11, 2026, to determine whether confidential content was surfaced in Copilot responses during the vulnerability window.
Review sensitivity label policies. Organizations should verify that their Purview sensitivity labels are configured correctly and test whether Copilot currently respects them across all Outlook clients (desktop, web, and mobile).
Consider restricting Copilot access to sensitive mailboxes. Until the expanded DLP fix completes rollout, organizations handling highly sensitive data may want to restrict Copilot access for users whose mailboxes contain classified or regulated content.
Monitor the AugLoop rollout. Microsoft's expanded DLP enforcement via the AugLoop component is scheduled for late March through late April 2026. Organizations should track Microsoft 365 Message Center updates for deployment status in their tenant.
The Bottom Line
Microsoft 365 Copilot had a bug that bypassed sensitivity labels on confidential emails for approximately four weeks. It was not a cyberattack. It was not a prompt injection exploit. It was a code defect in Microsoft's own retrieval pipeline -- the kind of mistake that should have been caught in testing before it reached 15 million paid users.
The bug was the second sensitivity label failure in eight months, following EchoLeak's CVSS 9.3 zero-click vulnerability in June 2025. The European Parliament disabled AI features on 8,000 devices. The U.S. House had already banned Copilot a year earlier. The NHS confirmed it was affected.
Microsoft's response -- that the bug "did not provide anyone access to information they weren't already authorized to see" -- is technically accurate and misses the point entirely. Sensitivity labels exist because access authorization is not the same as distribution authorization. A user who authored a confidential email is authorized to read it. They are not authorized to have its contents stripped of classification and surfaced in an unprotected AI response that can be freely copied and shared.
The deeper problem is not unique to Microsoft. Every major AI assistant -- Google Gemini, GitHub Copilot, ServiceNow Now Assist, Cursor -- has faced similar vulnerabilities. The architecture that makes these tools useful is the same architecture that makes them risky. They need broad access to be helpful. That broad access creates attack surfaces that traditional DLP was never designed to cover.
Microsoft is now racing to close those gaps with expanded DLP enforcement through AugLoop, scheduled to complete by late April 2026. But the pattern suggests this will not be the last time an AI assistant ignores the rules it was built to follow.
The question for enterprises is not whether to use AI assistants. It is whether their security infrastructure has caught up with the risks those assistants introduce. Based on the evidence so far, for most organizations, the answer is no.
Sources
- TechCrunch: Microsoft says Office bug exposed customers' confidential emails to Copilot AI (Feb 18, 2026)
- BleepingComputer: Microsoft says bug causes Copilot to summarize confidential emails (Feb 18, 2026)
- The Register: Copilot spills the beans, summarizing emails it's not supposed to read (Feb 18, 2026)
- VentureBeat: Microsoft Copilot ignored sensitivity labels twice in eight months (Feb 19, 2026)
- Office365ITPros: Code Error Allowed Copilot Chat to Expose Confidential Information (Feb 13, 2026)
- Cato Networks (formerly Aim Security): Breaking Down EchoLeak (CVE-2025-32711) (June 2025)
- Embrace The Red: Microsoft Copilot -- From Prompt Injection to Exfiltration via ASCII Smuggling (Aug 2024)
- Varonis: Reprompt -- The Single-Click Microsoft Copilot Attack (Aug 2025)
- Politico: EU Parliament blocks AI features over cyber, privacy fears (Feb 17, 2026)
- Microsoft Data Security Index 2026 (Jan 29, 2026)
- OWASP Top 10 for LLM Applications 2025 (2025)