Question of the Day
One question per day to look beyond the headlines.
Where did Microsoft’s sensitivity labels and DLP policies break down—permission checks or Copilot’s summarization pipeline?
Take-away Label/DLP enforcement failed because Copilot’s summarization runs in a separate content-processing path where email content enters before label/policy gates, so a bug bypassed them.
Microsoft’s sensitivity labels and data loss prevention (DLP) policies broke down specifically in the Copilot summarization pipeline. A bug allowed Microsoft 365 Copilot Chat to process and summarize confidential emails, even those labeled as such, which bypassed these policies [1], [2]. Microsoft confirmed this was a code issue that involved the processing of content from draft and sent emails within Copilot Chat, despite the presence of sensitivity labels and DLP policies [1], [3].
- Microsoft Copilot bug exposes confidential emails to AI thenews.com.pk (opens in new tab)
- Microsoft Copilot read confidential emails without permission | Mashable google.com (opens in new tab)
- Microsoft Copilot Chat error sees confidential emails exposed to AI tool - BBC News bbc.co.uk (opens in new tab)