Microsoft's AI Read Your Confidential Emails. Twice.

Riley Torres ·

Let me set the scene: It's a quiet Tuesday in your IT department. Your DLP stack is humming. Every sensitivity label is properly configured. Your "Confidential" emails are, theoretically, confidential. Then Microsoft 365 Copilot reads them anyway and helpfully summarizes them in your chat window.

This happened. Starting January 21, 2026, Copilot's Work Tab decided that "Confidential" sensitivity labels were more of a suggestion than a directive. For four weeks, it summarized restricted emails from Sent Items and Drafts — including, potentially, emails from NHS accounts, financial institutions, and any enterprise that assumed Microsoft's AI respects their security policies.

And here's the part that should make your security team's eye twitch: no DLP tool flagged it.

Let me say that again. The entire point of DLP — Data Loss Prevention — is to prevent data from going places it shouldn't. Microsoft Copilot's retrieval pipeline bypassed those policies completely, and none of the standard enterprise security monitoring caught it. Your SIEM didn't know. Your Purview logs were quiet. The sensitivity label sitting on that email was talking to a system that had already moved on.

Microsoft tracked this internally as CW1226324. They've since deployed a configuration fix and released the usual polished statement about how "access controls and data protection policies remained intact" while carefully noting the experience "did not meet our intended Copilot experience." Which is a very corporate way of saying: our AI read your secrets — but rest assured, it was only your own secrets.

But Wait — This Is the Second Time

Here's what makes this more than a patch-it-and-move-on bug: it's happened before. In June 2025, Microsoft patched CVE-2025-32711, nicknamed EchoLeak, a different vulnerability that also let Copilot access content it had no business touching. That was eight months ago.

So we now have a pattern — not a one-off mistake, not a weird edge case, but a repeating category of failure: Microsoft's AI retrieval layer keeps finding ways to ignore the security controls built around it.

The technical explanation is the kind of boring that most security failures are. A code path error in how items in Sent Items and Drafts were processed. Those folders weren't supposed to enter Copilot's retrieval set at all. They did. For a month. The interesting question isn't "how did the code break?" — it's "why did it take four weeks to notice?"

Your Threat Model Has a Blind Spot

Security teams have spent decades building models around users and applications. Users have permissions. Applications have defined access boundaries. You audit both. When something breaks, you have logs.

AI assistants like Copilot are neither users nor traditional applications — they're a semantic layer sitting on top of your data, capable of making inferences and generating summaries across content that you never explicitly granted access to. Classic DLP checks file transfers, email forwarding, clipboard activity. It does not check "did the AI summarize this email?"

Forty-seven percent of CISOs surveyed in 2026 reported already observing AI agents exhibit unintended or unauthorized behavior. Which suggests this isn't a Microsoft-specific problem — it's an industry-wide gap in how we think about AI and data access.

This connects to something we've noticed before about how AI systems have "personalities" that don't always align with what you think you configured. The gap between what an AI system appears to respect and what it actually respects can be surprisingly wide. CW1226324 is that gap made concrete.

What Should You Actually Do?

If you work in a regulated industry — healthcare, finance, government — and your organization uses Microsoft 365 with Copilot, check your Copilot activity logs for January 21 through early February 2026. That's the window. If Copilot was enabled and you had "Confidential" items in Sent Items or Drafts, those items may have been processed.

The NHS flagged this as formal incident INC46740412. Your compliance officer probably needs to know this existed.

If you're not in a regulated industry, consider what's in your Drafts folder right now. The employment contract you never sent. The salary negotiation still sitting there. The email to your lawyer. Microsoft says no data was improperly accessed by anyone other than the authenticated user — which is technically reassuring and also kind of beside the point.

The issue isn't that a stranger read your confidential email. The issue is that a system you told not to read it read it anyway — and the controls supposed to prevent that didn't fire.

The Bet You're Making

Every organization adopting Copilot, Claude for Enterprise, or any other embedded AI assistant is making an implicit bet: that the vendor's security model will hold, that the retrieval layer will respect the access controls, that the AI will stay in its lane.

Those are reasonable bets. AI integration genuinely improves productivity for a lot of teams, and I'm not suggesting enterprises should torch their Copilot licenses over this. But AI accountability is a real and unsolved problem — whether we're talking about an agent that publishes something it shouldn't or an AI that reads something it shouldn't. The failure modes are different; the underlying dynamic is the same.

CW1226324 is a data point about what happens when those bets don't pay off. The failure isn't dramatic. Nobody stole your data. It's subtler: your AI read content it wasn't supposed to, surfaced it in a context that violated your policies, and your monitoring infrastructure didn't catch it for four weeks.

Build that into your threat model. Then tell your board you did.