Check your Copilot settings after this confidential email bug
|
By
Paulo Vargas Published February 19, 2026 |
Microsoft has warned that a Microsoft 365 Copilot issue led Copilot Chat to generate summaries from confidential emails that should have been blocked by sensitivity labels and data loss prevention controls. It detected the problem on January 21, and tied it to the Copilot “work tab” chat experience.
If your workplace relies on labels and DLP to keep sensitive mail from being processed, the immediate question is simple. Did the fix reach your tenant, and does Copilot still pull from the wrong places.
First spotted by BleepingComputer, Microsoft says an internal code error caused Copilot “work tab” chat to pick up items from Sent Items and Drafts, then summarize them even when a sensitivity label and a DLP policy were configured.
Those folders are also where sensitive material tends to live. Drafts can hold negotiations, early numbers, or language you never intended to send. Sent Items can include the final wording that went to a customer, partner, or regulator. A summary that includes restricted text makes it easier for information to travel inside everyday chat.
For admins, the key point is that this isn’t about someone copy pasting an email into Copilot.
Microsoft began deploying a fix in early February and says it’s monitoring to confirm the change works. But it hasn’t shared two details security teams will care about, how many tenants were affected, and how far back the behavior went before it was detected on January 21.
Without a clear window, it’s hard to choose between a narrow review and a broader one.
Admins should test whether Copilot “work tab” chat can still summarize labeled emails from those mail folders in your environment. Write down what you observe, and keep it with audit notes in case your security team needs to document impact later. Be thorough.
For everyone else, treat Copilot summaries as something to verify, not something to trust by default, until your IT team confirms the updated behavior. If you handle regulated or contract bound information, flag this now so the controls can be checked instead of assumed.
Related Posts
Acer reveals Veriton compact PC to tackle the Mac mini with AMD Ryzen and plenty of AI mojo
Acer is making a direct play in that space with the Veriton RA110 AI Mini Workstation, a compact desktop that runs on AMD's Ryzen AI Max+ 395 processor, aimed at the same desk-bound professional who wants power without the tower.
Acer’s Swift Air 14 is a peppy MacBook Neo rival with some cool upgrades and a $699 ask
At a time when even mainstream laptops are creeping toward four-figure price tags, Acer’s latest machine feels refreshingly straightforward. It’s aimed at students, remote workers, and anyone who wants a laptop that looks and feels expensive without draining their bank account. The Swift Air 14 is powered by Intel’s new Core Series 3 processors and delivers up to 19 hours of battery life. That’s the sort of endurance that could realistically get many users through a full workday and beyond without scrambling for a charger.
Google Drive can now batch-scan your documents and spare you a few other frustrations, too
Well, Google Drive's new document scanner redesign fixes all three problems at once. Announced by Sameer Samat, the President of Android Ecosystem at Google, the feature is now rolling out for Android users.