What happened
A recently disclosed software bug in Microsoft 365 Copilot caused the AI assistant to incorrectly process and summarize email messages that were marked with confidentiality sensitivity labels, effectively bypassing configured Data Loss Prevention (DLP) policies.
Who is affected
Organizations using Microsoft 365 Copilot with sensitivity labels and DLP policies on email—particularly those in regulated industries such as healthcare, finance, and government—are at risk, as confidential content in Sent Items and Drafts may have been ingested and summarized by Copilot despite protections.
Why CISOs should care
DLP controls are foundational to enterprise data protection and compliance frameworks. This bug undermines those safeguards, exposing sensitive organizational information to AI processing in ways that could violate internal security policies and regulatory requirements if summaries or underlying content are accessed by unauthorized parties.
3 practical actions
- Review Copilot usage and data access policies: Evaluate current Microsoft 365 Copilot configurations to understand where confidential data is accessible and adjust until the issue is fully remediated.
- Monitor Microsoft advisories and rollouts: Track updates to the CW1226324 fix deployment via the Microsoft 365 admin center and validate remediation in your environment.
- Audit sensitivity-label enforcement: Conduct targeted audits of email content and DLP enforcement logs to detect any anomalous Copilot interactions with protected data.