Microsoft 365 Copilot Bug Bypasses DLP Policies for Confidential Emails

First reported

18.02.2026 14:03

Last updated

24.02.2026 19:30

1 unique sources, 2 articles

Summary

Hide ▲

A bug in Microsoft 365 Copilot, first detected on January 21, 2026, caused the AI assistant to summarize confidential emails, bypassing data loss prevention (DLP) policies. Microsoft confirmed the issue and began rolling out a fix in early February. The company is now expanding DLP controls to block Copilot from processing confidential documents across all storage locations, including local files, between late March and late April 2026. The full remediation timeline and scope of impact remain undisclosed.

Timeline

24.02.2026 19:30 1 articles · 23h ago

Microsoft expands DLP controls to all storage locations
Microsoft is expanding DLP controls to block Copilot from processing confidential Word, Excel, and PowerPoint documents across all storage locations, including local files. The change will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026.
Show sources

Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
Open in new tab
18.02.2026 14:03 2 articles · 7d ago

Microsoft 365 Copilot Bug Bypasses DLP Policies for Confidential Emails
A bug in Microsoft 365 Copilot, first detected on January 21, 2026, causes the AI assistant to summarize confidential emails, bypassing DLP policies. Microsoft confirmed the issue and began rolling out a fix in early February. The bug was described as a 'code issue' that allowed Copilot to read and summarize confidential emails in users' Sent Items and Drafts folders, providing access to the summarized information only to those already authorized to see it.
Show sources

Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03

Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
Open in new tab

Information Snippets

The bug (tracked under CW1226324) was first detected on January 21, 2026.
First reported: 18.02.2026 14:03

1 source, 2 articles
Show sources
- Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
The affected feature is the Copilot 'work tab' chat, which summarizes emails in Sent Items and Drafts folders.
First reported: 18.02.2026 14:03

1 source, 2 articles
Show sources
- Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
Microsoft 365 Copilot Chat was rolled out to Word, Excel, PowerPoint, Outlook, and OneNote for paying Microsoft 365 business customers in September 2025.
First reported: 18.02.2026 14:03

1 source, 1 article
Show sources
- Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03
Microsoft confirmed the bug and began rolling out a fix in early February 2026.
First reported: 18.02.2026 14:03

1 source, 2 articles
Show sources
- Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
The incident has been tagged as an advisory, indicating limited scope or impact.
First reported: 18.02.2026 14:03

1 source, 1 article
Show sources
- Microsoft says bug causes Copilot to summarize confidential emails — www.bleepingcomputer.com — 18.02.2026 14:03
Microsoft is expanding DLP controls to block Copilot from processing confidential Word, Excel, and PowerPoint documents regardless of their location.
First reported: 24.02.2026 19:30

1 source, 1 article
Show sources
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
The change will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026.
First reported: 24.02.2026 19:30

1 source, 1 article
Show sources
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
The bug was described by Microsoft as a 'code issue' that allowed Copilot to read and summarize confidential emails in users' Sent Items and Drafts folders.
First reported: 24.02.2026 19:30

1 source, 1 article
Show sources
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30
The bug provided access to the summarized information only to those who were already authorized to see it.
First reported: 24.02.2026 19:30

1 source, 1 article
Show sources
- Microsoft adds Copilot data controls to all storage locations — www.bleepingcomputer.com — 24.02.2026 19:30

Similar Happenings

Microsoft Introduces Policy to Uninstall Copilot on Managed Devices

Microsoft is testing a new policy that allows IT administrators to uninstall the AI-powered Copilot digital assistant on managed devices. This policy, RemoveMicrosoftCopilotApp, is available in the Dev and Beta Insider channels for Windows 11 Insider Preview Build 26220.7535 (KB5072046). The policy applies to devices where both Microsoft 365 Copilot and Microsoft Copilot are installed, the app was not user-installed, and it has not been used in the last 28 days. The policy is available for Enterprise, Pro, and EDU SKUs and can be enabled via the Group Policy editor. This update also addresses several known issues in the File Explorer and Windows Update settings.

Open in new tab

Summary

Timeline

Microsoft expands DLP controls to all storage locations