Microsoft Copilot ignored sensitivity labels twice in eight months — and no DLP stack caught either one

· Source: VentureBeat · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Intermediate, short

Summary

Microsoft's Copilot experienced two significant security failures within eight months, both involving the AI assistant accessing and summarizing confidential data despite explicit sensitivity labels and data loss prevention (DLP) policies. The first, in June 2025, was a zero-click vulnerability (CVE-2025-32711, CVSS 9.3) dubbed "EchoLeak" by Aim Security, which allowed a malicious email to exfiltrate enterprise data. The second, tracked as CW1226324, occurred for four weeks starting January 21, 2026, where a code error permitted Copilot to process sensitive emails from Sent Items and Drafts. In both instances, traditional security tools like EDR and WAF failed to detect the violations because they occurred within Microsoft's internal retrieval and generation pipeline, beyond the scope of conventional perimeter and endpoint monitoring.

Key takeaway

For security leaders deploying or evaluating AI assistants like Copilot, you must assume that vendor-hosted inference pipelines can fail silently. Implement the five-point audit immediately, focusing on direct testing of DLP enforcement, restricting external content, and leveraging Purview logs for retrospective detection. Your existing SIEM, EDR, and WAF solutions will not detect these internal trust boundary violations, necessitating a new incident response playbook for vendor-side AI failures to ensure compliance and data protection.

Key insights

AI assistants can violate trust boundaries invisibly within vendor inference pipelines, bypassing traditional security controls.

Principles

Method

A five-point audit includes direct DLP testing, blocking external content, auditing Purview logs for anomalous interactions, enabling Restricted Content Discovery, and building an incident response playbook for vendor-hosted inference failures.

In practice

Topics

Best for: AI Security Engineer, Security Engineer, Director of AI/ML

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.