Microsoft Copilot ignored sensitivity labels twice in eight months — and no DLP stack caught either one
Essential brief
For four weeks starting January 21, Microsoft's Copilot read and summarized confidential emails despite every sensitivity label and DLP policy tell
Key facts
Highlights
Why it matters
For four weeks starting January 21, Microsoft's Copilot read and summarized confidential emails despite every sensitivity label and DLP policy telling it not to. The enforcement points broke inside Microsoft’s own pipeline, and no security tool in the stack flagged it. Among the affected organizatio
For four weeks starting January 21, Microsoft's Copilot read and summarized confidential emails despite every sensitivity label and DLP policy telling it not to.
The enforcement points broke inside Microsoft’s own pipeline, and no security tool in the stack flagged it.
Among the affected organizations was the U.K.'s National Health Service, which logged it as INC46740412 — a signal of how far the failure reached into regulated healthcare environments.
Microsoft tracked it as CW1226324.
The advisory, first reported by BleepingComputer on February 18, marks the second time in eight months that Copilot’s retrieval pipeline violated its own trust boundary — a failure in which an AI system accesses or transmits data it was explicitly restricted from touching.
The first was worse.
In June 2025, Microsoft patched CVE-2025-32711 , a critical zero-click vulnerability that Aim Security researchers dubbed “EchoLeak.” One malicious email bypassed Copilot’s prompt injection classifier, its link redaction, its Content-Security-Policy, and its reference mentions to silently exfiltrate enterprise data.
No clicks and no user action were required.
Microsoft assigned it a CVSS score of 9.3 .
Two different root causes; one blind spot: A code error and a sophisticated exploit chain produced an identical outcome.
Copilot processed data it was explicitly restricted from touching, and the security stack saw nothing.
Why EDR and WAF continue to be architecturally blind to this Endpoint detection and response (EDR) monitors file and process behavior.
Web application firewalls (WAFs) inspect HTTP payloads.
Neither has a detection category for “your AI assistant just violated its own trust boundary.” That gap exists because LLM retrieval pipelines sit behind an enforcement layer that traditional security tools were never designed to observe.
Copilot ingested a labeled email it was told to skip, and the entire action happened inside Microsoft's infrastructure.
Between the retrieval index and the generation model.
Nothing dropped to disk, no anomalous traffic crossed the perimeter, and no process spawned for an endpoint agent to flag.
The security stack reported all-clear because it never saw the layer where the violation occurred.