Despite advancements in artificial intelligence, systems like Microsoft's Copilot continue to encounter significant errors, including the unintended processing of sensitive emails in Outlook. This vulnerability has been acknowledged in an internal Microsoft bug report.
Within Microsoft 365 environments, the Copilot Chat feature can access and condense content from emails stored in the Sent and Drafts sections of Outlook, regardless of their confidential designation. This label is intended to block access by automated systems. According to coverage by BleepingComputer, the flaw is tracked under the identifier 'CW1226324', with remediation efforts underway for impacted users. No specific rollout schedule has been provided for widespread deployment. Access to the complete bug details requires administrative permissions in Microsoft 365, limiting visibility to the public.
This breach raises serious privacy concerns, as Outlook's confidential marking safeguards critical data such as corporate agreements, legal communications, official inquiries from authorities, and health records. Such information should remain isolated from large language models, particularly to prevent incorporation into training datasets.
Microsoft has not disclosed the number of affected individuals but has noted that the extent of the issue could evolve during ongoing reviews.