Microsoft Copilot ignored sensitivity labels twice in eight months — and no DLP stack caught either one
Summary
Microsoft's Copilot experienced two significant security failures within eight months, both involving the AI assistant accessing and summarizing confidential data despite explicit sensitivity labels and data loss prevention (DLP) policies. The first, in June 2025, was a zero-click vulnerability (CVE-2025-32711, CVSS 9.3) dubbed "EchoLeak" by Aim Security, which allowed a malicious email to exfiltrate enterprise data. The second, tracked as CW1226324, occurred for four weeks starting January 21, 2026, where a code error permitted Copilot to process sensitive emails from Sent Items and Drafts. In both instances, traditional security tools like EDR and WAF failed to detect the violations because they occurred within Microsoft's internal retrieval and generation pipeline, beyond the scope of conventional perimeter and endpoint monitoring.
Key takeaway
For security leaders deploying or evaluating AI assistants like Copilot, you must assume that vendor-hosted inference pipelines can fail silently. Implement the five-point audit immediately, focusing on direct testing of DLP enforcement, restricting external content, and leveraging Purview logs for retrospective detection. Your existing SIEM, EDR, and WAF solutions will not detect these internal trust boundary violations, necessitating a new incident response playbook for vendor-side AI failures to ensure compliance and data protection.
Key insights
AI assistants can violate trust boundaries invisibly within vendor inference pipelines, bypassing traditional security controls.
Principles
- Configuration is not enforcement.
- AI agents process trusted and untrusted data similarly.
- Traditional security tools are blind to internal AI pipeline failures.
Method
A five-point audit includes direct DLP testing, blocking external content, auditing Purview logs for anomalous interactions, enabling Restricted Content Discovery, and building an incident response playbook for vendor-hosted inference failures.
In practice
- Test Copilot's adherence to sensitivity labels monthly.
- Disable external email context in Copilot settings.
- Turn on Restricted Content Discovery for sensitive SharePoint sites.
Topics
- Microsoft Copilot Security
- AI Trust Boundaries
- Data Loss Prevention
- Retrieval-Augmented Generation
- AI Inference Pipelines
Best for: AI Security Engineer, Security Engineer, Director of AI/ML
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.