Microsoft is uploading your confidential emails to Copilot for summarization [Update]

AI is infiltrating every aspect of our lives, and even more so in organizations which are embracing its latest advancements. Although AI tools like Microsoft 365 Copilot can be very useful when used correctly, it seems like a recent bug actually resulted in a privacy nightmare for enterprise customers.

As first spotted by Office365ITPros, a recent advisory posted on the Microsoft admin portal indicates that Copilot is reading your confidential emails as it summarizes messages for you. This is a massive violation of privacy and security, considering data loss prevention (DLP) policies like privacy labels are specifically designed to restrict scenarios like these.

Microsoft has noted that this was unintended behavior and was actually due to a programming bug. It primarily impacted emails in the Sent Items and Drafts folder, which were sent to Copilot Chat for summarization of content. This issue was first discovered by customers on January 21, 2026, and is being tracked under the CW1226324 ID.

The bad news is that despite being a fairly severe security lapse, Microsoft is yet to fully roll out a robust fix. It began deploying a fix in a staggered manner starting on February 10, but it is yet to reach all impacted customers. The Redmond tech giant is informing affected customers and testing the impact of remediation measures to ensure that the patch works as expected.

While we await a full incident report, it will be interesting to know if the root cause, that is, the programming bug, has always existed in the implementation of Copilot integration, or if it's the result of a recent change. Regardless, news about this bug will not please organizations, many of which are paying hefty sums to integrate Copilot in their environments. Perhaps it will once again raise alarms about the possibility of Microsoft vibecoding its software and not properly testing it, but long-term impacts are yet to be seen.

Update: In a statement to Neowin, a Microsoft spokesperson has indicated that this issue is now fixed and that it was not the "intended Copilot experience". The full statement is as follows:

We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labeled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop. This did not provide anyone access to information they weren’t already authorized to see. While our access controls and data protection policies remained intact, this behavior did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access. A configuration update has been deployed worldwide for enterprise customers.

All that said, it's interesting to note that while the bug was first reported on January 21, it seems like the fix was expedited only after media outlets caught wind of the issue. Regardless, all's well that ends well.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 20 February 2026 at 12:04 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix