Question of the Day
One question per day to look beyond the headlines.
How did Microsoft 365 Copilot bypass data-loss prevention specifically for Sent Items and Drafts?
Take-away DLP protected Inbox access but not Sent/Drafts because Copilot’s folder-scoped retrieval path skipped label/policy checks, so confidential mail entered summaries.
A bug in Microsoft 365 Copilot Chat caused it to access and process confidential emails in the Sent and Draft folders, bypassing data loss prevention (DLP) policies and confidentiality labels [2]. This issue was identified in January, tracked as bug CW1226324, and a fix was rolled out starting in February [1], [2]. The error allowed these confidential emails to be incorrectly summarized by Copilot despite the presence of DLP policies and sensitivity labels meant to prevent such access [1], [3]. Specifically, Copilot Chat accessed emails in Sent and Draft folders, while access to the Inbox was protected [2]. Microsoft attributed this issue to a code problem that let emails labeled as confidential be processed improperly by Copilot [3].
- Microsoft Copilot read confidential emails without permission | Mashable google.com (opens in new tab)
- Microsoft admits an Office bug exposed confidential user emails to Copilot | TechRadar techradar.com (opens in new tab)
- Microsoft Copilot Chat error sees confidential emails exposed to AI tool - BBC News bbc.co.uk (opens in new tab)