Microsoft bug allowed Copilot to summarize confidential emails

· Source: Dataconomy · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Fundamental Awareness, quick

Summary

Microsoft confirmed a bug, tracked as CW1226324, allowed its Copilot AI to summarize confidential customer emails without explicit permission, bypassing established data loss prevention policies. Active since January, the vulnerability specifically impacted Copilot Chat's functionality within Microsoft 365, enabling it to read and outline draft and sent emails marked with confidential labels. Microsoft initiated a fix rollout in February, following the initial report by Bleeping Computer. Copilot Chat is an AI-powered feature available to paying Microsoft 365 customers, integrating across Office applications like Word, Excel, and PowerPoint. Microsoft acknowledged that confidential email messages were "incorrectly processed" but did not disclose the number of affected customers.

Key takeaway

For security architects and compliance officers overseeing Microsoft 365 deployments, this incident underscores the critical need to audit AI service interactions with sensitive data. You should proactively verify that Copilot's data access adheres strictly to your organization's data loss prevention policies, especially concerning confidential information, and monitor for any unexpected data processing behaviors.

Key insights

A Microsoft Copilot bug exposed confidential emails by bypassing data loss prevention policies.

Principles

In practice

Topics

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, IT Professional

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Dataconomy.