Microsoft Corp. confirmed it is addressing a significant security lapse that allowed its Copilot AI to bypass privacy protections.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Microsoft confirmed a security bug (CW1226324) in Copilot Chat that allowed the AI to bypass confidentiality labels and DLP policies, summarizing emails from Sent Items and Drafts folders without user authorization. Active since late January, the flaw was first reported by BleepingComputer and attributed to an unspecified 'code issue.' A fix began rolling out in early February, though the number of affected Microsoft 365 business customers has not been disclosed. The incident adds to a series of Copilot security concerns, including a previously reported Reprompt vulnerability, and comes amid broader enterprise anxiety about AI tools accessing sensitive corporate data—highlighted by the European Parliament blocking built-in AI features on work devices.

Microsoft Patches Security Flaw That Exposed Confidential Emails to AI