Microsoft discloses Office defect that let Copilot access private emails

What happened — A bug in Office caused the Microsoft 365 chat-powered assistant to process messages that had been marked with confidentiality labels, allowing the assistant to ingest draft and sent items despite label-based protections. The behavior effectively bypassed certain data loss prevention expectations and persisted from January into February before Microsoft began a phased fix. Administrators can monitor remediation progress via the message center entry CW1226324.

Scope and mechanics — The vector was rooted in how the in-app Copilot integration handled protected messages, not in users intentionally sharing data with external models. Because the assistant accessed both drafts and sent mail items, organizations that rely on label enforcement for compliance faced the risk that sensitive content was available to the assistant during the exposure window. Microsoft has not published a tenant-level impact count.

Consequences and reactions — The incident prompted immediate operational work for security and compliance teams: reconciling logs, determining whether protected content was processed, and preparing notification or remediation workflows where required. At least one major body, the European Parliament, responded by disabling built-in AI features on managed devices, illustrating how institutions may favor conservative controls while vendors remediate.

Broader context — The Copilot label-bypass disclosure arrived amid a busy patch period for Office: Microsoft also disclosed active exploit activity tied to vulnerabilities such as CVE-2026-21509, and U.S. authorities have added some Office bugs to the Known Exploited Vulnerabilities list, raising remediation timelines for government and critical infrastructure operators. Together these events increased operational pressure on defenders to validate updates, apply layered mitigations where patches could not be immediately deployed, and review telemetry for signs of misuse.

Operational takeaways — Beyond patching, defenders should inventory which endpoints and accounts have AI assistants enabled, rotate credentials exposed to auxiliary services, and search logs for assistant interactions with labeled content. Organizations that cannot quickly apply the fix should consider restricting Copilot access, enforcing stronger endpoint controls, or disabling built-in AI features on sensitive machines until guarantees are validated.

Strategic ripple effects — The episode underscores a broader pattern seen with agentic and AI systems: misconfigurations or unexpected processing pathways can make sensitive data accessible to models or services. Procurement, legal and security teams will push for clearer, auditable assurances about how vendors handle labeled or otherwise protected data — including options for on-device inference or explicitly segregated pipelines — and for contractual remedies that address AI ingestion risks.