Microsoft admits Copilot reads protected emails, rushes worldwide updates
Microsoft has admitted that, for weeks, its AI assistant Copilot slipped past confidentiality labels and read emails it was never meant to see.
Microsoft has confirmed that a bug in Microsoft 365 Copilot granted the AI assistant access to confidential emails, raising serious privacy concerns for organizations relying on the service.
The flaw detected in late January allowed the AI assistant to bypass data loss prevention (DLP) policies designed to protect organizations’ sensitive information. It specifically affected Copilot’s “work tab” chat feature, which can summarize emails from users’ sent and draft folders.
Copilot was found to have access to messages marked as “confidential.” The tagging was meant to prevent automated tools from viewing specific information. However, the safeguards failed and allowed Copilot to read and summarize sensitive content.
The bug was first reported by tech news outlet Bleeping Computer, which said it had seen a service alert confirming the issue. Since the information came to light, Microsoft has reacted by fixing the issue, and a configuration update has been “deployed worldwide for enterprise customers."
"We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labelled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop," Microsoft said in its statement to the BBC.
"While our access controls and data protection policies remained intact, this behaviour did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access," they added.
Copilot is not safe. Period
Launched in February 2023, Microsoft Copilot Studio allows companies to build their own AI assistant and train it on specific company data to automate tasks across Microsoft’s apps.
Since the launch, the tech giant has been aggressively rolling out its AI assistant across Microsoft’s ecosystem. Copilot has been integrated into Word, Excel, Outlook, PowerPoint, and OneNote. In September 2025, Copilot Chat went live for Microsoft 365 business customers, enabling users to interact directly with AI agents.
While tech companies are pushing AI assistants as essential productivity tools, cybersecurity experts warn that rapid AI adoption creates new attack surfaces that organizations may struggle to secure. For companies handling sensitive information, the stakes are especially high.
Just this January, security researchers at Varonis Threat Labs uncovered a single-click attack that could trick Microsoft’s Copilot into leaking sensitive user data via a legitimate-looking link.
The flaw in Microsoft Personal, dubbed Reprompt, could work without the user interacting with Copilot at all, beyond clicking a phishing link.
Cybernews has previously reported that a cybersecurity researcher warned Copilot users that it is only a matter of time until Microsoft’s AI tool starts leaking data.
Back in 2024, security researcher Michael Bargury demonstrated how Copilot Studio bots can easily exfiltrate sensitive enterprise data, circumventing existing controls. The findings were revealed at the annual Black Hat USA 2024 security conference in Las Vegas.
According to the researcher, Copilot has an array of vulnerabilities that increase users' risk. A combination of insecure defaults, over-permissive plugins, and wishful design thinking made data leakage “probable, not just possible,” the researcher said at the time.
Using an exploitation tool he created, the researcher scanned for publicly accessible copilots and abused them to extract sensitive enterprise data.
“Attackers can remotely take over your interactions with the Copilot. They can get the Copilot to do whatever they want on your behalf, manipulate you, and misinform your decisions. They have full control of every word the Copilot writes to you,” Bargury said.
Security researchers: “Incidents like this will surge in 2026”
The Copilot incident is unlikely to be an isolated misstep. Instead, it may be an early warning of a much larger risk.
Dr. Ilia Kolochenko, CEO at ImmuniWeb, member of Europol, and Fellow at the European Law Institute, argues that the rapid expansion of agentic AI and AI-powered plugins across traditional software stacks is quietly widening the threat landscape.
“Incidents like this one will likely surge in 2026, possibly becoming the most frequent type of security incident at both large and small companies around the globe,” Kolochenko told Cybernews.
In his view, organizations are adopting AI faster than they can secure it. While companies are racing to deploy intelligent assistants to achieve productivity gains, often governance frameworks lag behind.
Many traditional safeguards, including Data Loss Prevention systems, were never designed to monitor how AI agents access, interpret, and repackage sensitive data. As a result, they struggle to detect unauthorized or excessive AI use by careless employees or malicious insiders.
He warns that the problem extends beyond internal misuse. Criminal groups are already developing malicious AI agents specifically engineered to harvest sensitive information at scale.
“Misuse of AI will also be a disaster for privacy in 2026. Every day, tons of sensitive personal data are shared with LLMs around the globe without any precautions,” he said.
“Even governmental agencies of developed countries are exposed to this risk because of inadequate or simply missing governance of AI in the workplace.”
According to the security professional, shadow AI, when employees bring their own devices with AI apps to scan or otherwise ingest confidential data, will be among the key challenges to tackle.
Kolochenko also predicts a legal reckoning. As AI systems become embedded in critical business processes, liability questions will inevitably follow.
“In 2026, and moving forward, we will probably see many class-action and individual lawsuits against both tech giants and AI boutiques for unlawful collection of user data,” highlights Kolochenko.
“Some unscrupulous actors who purposely use Agentic AI to obtain valuable or confidential data will likely claim that they have been collecting the data without authorization by mistake.”
According to him, whether such a defence will stand in courts depends on many factors, but “the AI industry will likely suffer a lot,” with some AI vendors going out of business due to litigation and reputational losses.
Kolochenko believes that after a few security incidents of a sufficient scale, governments worldwide will rush to regulate AI.
“Incidents, like a crash of a Critical National Infrastructure (CNI) provider or a massive leak of classified documents – governments on both sides of the Atlantic will probably rush to severely regulate use of AI, possibly creating a new AI winter,” he concludes.
Unlock exclusive Cybernews content on YouTube.
