Microsoft 365 Copilot Bug Silently Read Confidential Emails for Weeks
Microsoft 365 Copilot Bug Silently Read Confidential Emails for Weeks — And What It Means for Gmail Users
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Microsoft 365 Copilot Bug Silently Read Confidential Emails for Weeks — And What It Means for Gmail Users
February 23, 2026 | Technology & Cybersecurity
A significant privacy flaw in Microsoft 365 Copilot was quietly exposing enterprise email content for nearly a month before the company publicly acknowledged it — and the incident is now raising broader questions about how AI assistants handle sensitive data across all major platforms, including Gmail.
What Happened: The Bug Microsoft Confirmed
Microsoft has confirmed a software defect in Microsoft 365 Copilot Chat that allowed the AI assistant to read and summarize emails marked as “confidential” — bypassing the Data Loss Prevention (DLP) policies that enterprise customers depend on to protect sensitive information. The issue was first reported by customers on January 21, 2026, and tracked internally by Microsoft under advisory code CW1226324.
The flaw specifically affected the “work tab” chat feature within Copilot Chat — the AI-powered assistant available to paying Microsoft 365 business customers. According to Microsoft’s own service alert, seen first by BleepingComputer:
“The Microsoft 365 Copilot ‘work tab’ Chat is summarizing email messages even though these email messages have a sensitivity label applied and a DLP policy is configured.”
In plain terms: even when a company had explicitly labeled certain emails as confidential and configured rules to prevent AI tools from accessing them, Copilot was doing so anyway. The affected folders were users’ Sent Items and Drafts in Outlook — not the general inbox, but still containing content that organizations had specifically tried to wall off from automated processing.
The Timeline: A Month in the Shadows
The chronology of this incident is almost as concerning as the bug itself. Users first flagged the issue on January 21, 2026, but it took Microsoft until February 3 to formally log the advisory. A phased fix began rolling out around February 10-11, and as of mid-February, Microsoft reported that the code correction had “saturated across the majority of affected environments.”
By February 18-20, multiple technology outlets — including The Register, BleepingComputer, TechCrunch, TechRadar, and Neowin — reported on the issue after it became public. Microsoft confirmed the fix and issued a formal statement:
“We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labeled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop. This did not provide anyone access to information they weren’t already authorized to see.”
Microsoft’s final update was expected by February 24, 2026, when the company said it would confirm full remediation. The company has not disclosed how many organizations were affected, and as Neowin noted, the fix appeared to accelerate only after press coverage drew wider attention.
Why This Matters: DLP Is the Backbone of Enterprise Data Security
Data Loss Prevention policies are not a nice-to-have feature — for many organizations, they are a legal and regulatory requirement. Industries such as healthcare, finance, legal services, and government use DLP controls to ensure that sensitive communications are never processed by unauthorized systems, including AI tools.
Microsoft’s own documentation makes clear that sensitivity labels — the mechanism used to tag content as confidential — are supposed to exclude marked items from Copilot’s reach. Yet the bug rendered those controls ineffective for Sent Items and Drafts, two folders that routinely contain negotiation memos, health records, financial details, and legal strategy.
Notably flagged: The UK’s National Health Service internally tracked this incident under its own advisory code (INC46740412), underscoring that real-world impact extended to the public sector organizations that handle some of the most sensitive data of all.
Microsoft emphasized that the bug did not allow anyone to access another person’s emails — Copilot only surfaced content within the signed-in user’s own account. But security experts point out that this distinction misses a key concern: DLP policies exist precisely to exclude AI systems from processing certain content, regardless of who authored it.
Does Gmail Have the Same Problem?
The Copilot incident naturally raises the question: could something similar happen in Gmail, which has increasingly integrated Google’s Gemini AI into its email experience?
The short answer is: no confirmed equivalent bug exists — but the underlying privacy dynamics are more complicated than Google’s official messaging suggests.
How Gemini Accesses Gmail
When enabled, Gemini in Gmail can access a user’s entire email history — including sent messages, drafts, attachments, financial statements, and personal conversations — to power features such as email summaries, smart replies, and natural language search. This is by design, not a bug.
Google states that for enterprise Google Workspace customers, Gemini’s access is governed by existing DLP policies, Information Rights Management (IRM) controls, and sensitivity labels. According to Google’s own Generative AI in Google Workspace Privacy Hub, when IRM restrictions are in place, “Gemini will not retrieve those files or their content on the user’s behalf.”
Google also asserts that enterprise Workspace data is not used to train its external AI models without permission, and that content stays within the organization’s boundaries.
Where the Concerns Remain
However, several structural issues remain worth noting for enterprise and personal Gmail users alike:
- Personal Gmail users face a different standard. Google’s stronger privacy protections apply specifically to paid Google Workspace accounts. Free Gmail users operate under different terms, and their AI-assisted interactions may be used to improve Google’s services. Google’s own guidance warns: “Please don’t enter confidential information that you wouldn’t want a reviewer to see.”
- Human review does occur. Google retains the ability to have human reviewers examine Gemini conversations for quality and safety purposes, even for users who opt out of activity tracking. Conversations may be retained for up to 72 hours (or longer if reviewed by a human).
- Gemini inherits permission overreach. Unlike the Microsoft bug — which was an unintended code flaw — Gemini’s access to emails is deliberate and broad by design. If an organization has misconfigured sharing permissions or overly broad group access in Google Workspace, Gemini can surface content that sensitive employees were not intended to see. As security researchers at Concentric AI put it: “Gemini inherits the environment it enters.”
- Opt-out is not simple. Users wishing to limit Gemini’s access to their Gmail must navigate multiple separate settings — disabling smart features in both Gmail settings and Google Workspace smart features settings. Disabling only one still leaves the other active.
- No verified DLP bypass bug reported. Unlike the Microsoft incident, there is no confirmed, publicly reported case of Gemini ignoring configured DLP policies in Google Workspace. That said, AI integration with enterprise email is still a relatively new deployment, and independent security audits of AI-driven DLP enforcement remain limited.
Side-by-Side: Microsoft Copilot vs. Gemini in Gmail
| Feature | Microsoft 365 Copilot | Gemini in Gmail |
| Confirmed DLP bypass bug | Yes — CW1226324 (Jan–Feb 2026) | No confirmed bug reported |
| Email access scope | Sent Items & Drafts (via bug) | Full inbox (by design, if enabled) |
| DLP policy enforcement | Failed due to code flaw | Claimed; not independently verified |
| Affects enterprise customers | Yes | Yes (Google Workspace) |
| Affects personal users | Limited (M365 business product) | Yes (free Gmail with AI features) |
| Human review possible | Not disclosed | Yes, per Google’s privacy policy |
| Data used for AI training | No | No for Workspace; possible for free Gmail |
| Opt-out available | Admin can disable Copilot | Yes, but requires multiple settings changes |
What Should Organizations Do Now?
For Microsoft 365 customers, the immediate threat has been addressed. Microsoft’s configuration fix has now been deployed globally, and the company says full remediation was expected by February 24. However, organizations should take the following steps to reduce ongoing risk:
Verify your tenant is patched. IT administrators can check the Microsoft 365 admin center under advisory CW1226324 to confirm that their environments received the fix.
Audit Copilot access logs. Review Copilot activity logs for any anomalous summarization of confidential items during the January 21 – February 10 window.
Test DLP policies actively. Do not assume configured sensitivity labels are being enforced — test them against Copilot by submitting labeled content and verifying it does not appear in AI responses.
Enable Restricted Content Discovery (RCD). For SharePoint, Microsoft offers RCD as an additional tool to remove sensitive sites from Copilot’s view. It is available to all tenants with Copilot licenses and should be deployed.
For Gmail and Google Workspace users, the priority is understanding and hardening your current configuration:
Enterprise admins: audit IRM and DLP settings. Confirm that sensitivity labels and information rights controls are properly scoped to restrict Gemini access to content categories that require protection.
Free Gmail users: consider disabling AI features. If you handle sensitive personal or professional information in a personal Gmail account, navigate to Settings → See all settings → General tab, and disable smart features in both Gmail and Google Workspace smart features sections.
Consider end-to-end encryption. Google offers client-side encryption (CSE) for enterprise Workspace accounts, which technically prevents Gemini from accessing content because even Google cannot decrypt it. This is the strongest available protection.
The Bigger Picture: AI Is Outpacing Governance
The Microsoft Copilot incident is not merely a single software bug — it is a warning about the pace at which enterprise AI is being deployed relative to the maturity of the governance frameworks surrounding it.
Traditional DLP systems were designed for a world of human actors and deterministic software. They were not built to anticipate AI assistants that can synthesize, summarize, and surface restricted data in ways that existing rule sets did not foresee. As Dr. Ilia Kolochenko of cybersecurity firm ImmuniWeb observed in analysis of the incident: “Incidents like this one will likely surge in 2026, possibly becoming the most frequent type of security incident at both large and small companies around the globe.”
Microsoft’s own documentation acknowledged an important and underappreciated fact: sensitivity labels do not function consistently across all Microsoft 365 applications. They work as expected in Word and Excel — but in Teams and Copilot Chat, the behavior has historically been less predictable.
Enterprises moving quickly to adopt AI assistants — whether from Microsoft, Google, or other vendors — should treat this episode as a prompt to independently test and validate every AI-data governance control they believe is in place. The policy may exist on paper. That does not mean the AI is reading it.
Sources: BleepingComputer, The Register, TechCrunch, TechRadar, Neowin, office365itpros.com, eSecurity Planet, Cybernews, Concentric AI, Google Workspace Privacy Hub.
