Microsoft has warned that a Microsoft 365 Copilot issue caused Copilot Chat to generate summaries from sensitive emails that should have been blocked by sensitivity labels and data loss prevention controls. The issue was discovered on January 21st and was linked to Copilot’s Work Tab chat experience.
If your workplace relies on labels and DLP to prevent the processing of sensitive mail, the immediate question is simple. Has the fix reached your client and is Copilot still pulling from the wrong places?
A DLP bypass in the Work tab
According to Microsoft, first discovered by BleepingComputer, an internal code error caused Copilot’s “Work Tab” chat to pick up items from “Sent Items” and “Drafts” and then combine them, even when a sensitivity label and DLP policy were configured.
These folders also contain sensitive data. Drafts may contain negotiations, early numbers, or wording you never intended to send. Sent items may include final wording sent to a customer, partner, or regulator. A summary that includes limited text makes it easier to disseminate information in everyday chat.
The key point for administrators is that this isn’t about someone copying and pasting an email into Copilot.
What Microsoft still doesn’t say
Microsoft began rolling out a fix in early February and says it is monitoring to confirm the change works. But two details that will be important to security teams were not shared: how many tenants were affected and how far back the behavior went before it was discovered on Jan. 21.
Without a clear window, it’s difficult to choose between a narrow review and a more comprehensive one.
What you should do next
Administrators should test whether the Copilot Work Tab Chat can continue to aggregate flagged emails from these email folders in your environment. Write down what you observe and keep it with the audit notes in case your security team needs to document the impact later. Be thorough.
For everyone else, treat Copilot summaries as something to be reviewed, not something you can trust by default until your IT team confirms the updated behavior. If you process regulated or contractual information, flag this now so controls can be reviewed and disapproved.
