Microsoft Copilot Security Failure: A Timeline of Broken Trust
For the second time in eight months, Microsoft’s flagship AI assistant, Copilot, has been found circumventing the very security protocols designed to make it safe for enterprise adoption. A critical bug active throughout early 2026 allowed the AI to read, summarize, and surface emails explicitly marked "Confidential," bypassing Data Loss Prevention (DLP) policies and exposing sensitive data across major organizations, including the UK’s National Health Service (NHS).
This latest incident, which left sensitive records vulnerable for nearly four weeks, is not an isolated glitch. It follows a severe vulnerability discovered in June 2025, painting a concerning picture of a "systemic blind spot" in the modern AI security stack. As enterprises rush to deploy Generative AI, these repeated failures raise urgent questions: Can legacy security frameworks like DLP and sensitivity labels truly contain Large Language Models (LLMs) at runtime?
The February 2026 Incident: Bypassing the "Confidential" Label
In late January 2026, a code-level defect in Microsoft 365 Copilot effectively disabled the "trust boundary" that organizations rely on to protect their most sensitive communications. The bug, tracked by Microsoft as CW1226324, allowed the AI assistant to access, process, and summarize emails stored in users' "Sent Items" and "Drafts" folders, even when those emails bore restrictive sensitivity labels such as "Highly Confidential" or were covered by active DLP policies.
Under normal operations, sensitivity labels act as digital "do not enter" signs for the AI. If a document is labeled "Confidential," Copilot is contractually and technically obligated to ignore it during its Retrieval-Augmented Generation (RAG) process. However, for approximately 28 days—from January 21 to February 19, 2026—this mechanism failed for specific Outlook folders.
The impact was felt acutely in regulated sectors. The NHS, which manages vast amounts of private patient data, flagged the incident internally as INC46740412. For nearly a month, staff utilizing Copilot for routine administrative tasks could have inadvertently surfaced protected health information (PHI) or internal strategy documents that were supposed to be invisible to the AI model.
While Microsoft has since deployed a fix and stated that the bug "did not provide anyone access to information they weren't already authorized to see," the failure undermines the core promise of AI governance: that the AI will not process data it has been told to ignore. In a legal or compliance context, the mere processing of restricted data by an AI model—summarizing a privileged legal draft or a patient record—can constitute a breach of policy.
A Pattern of Vulnerability: The EchoLeak Precedent
The February 2026 failure is the second major strike against Copilot’s security architecture in less than a year. Eight months prior, in June 2025, researchers unveiled a critical vulnerability dubbed "EchoLeak" (CVE-2025-32711).
Unlike the February bug, which was a functional failure of labels, EchoLeak was a sophisticated "zero-click" exploit. It allowed attackers to embed hidden instructions in benign-looking emails. When Copilot processed these emails, the hidden prompts would "hijack" the AI's context window, forcing it to retrieve and exfiltrate sensitive data to the attacker without the user ever realizing a breach had occurred.
Both incidents reveal a dangerous reality: Microsoft’s security controls are struggling to keep pace with the complex, non-deterministic nature of LLMs.
Comparison of Recent Copilot Security Failures
| Incident Name | Date Active | Root Cause | Mechanism of Failure |
|---|---|---|---|
| EchoLeak (CVE-2025-32711) | June 2025 | LLM Scope Violation | Malicious prompt injection allowed attackers to hijack RAG retrieval and exfiltrate data. |
| DLP Bypass (CW1226324) | Jan - Feb 2026 | Functional Code Defect | Copilot ignored sensitivity labels in specific Outlook folders (Drafts/Sent), summarizing confidential data. |
The Systemic Blind Spot: Runtime vs. Static Security
The recurrence of these issues highlights a fundamental disconnect between traditional data security and the way Generative AI operates.
Legacy tools like DLP and sensitivity labels are designed for static or transactional protection. They ask binary questions: Does User A have permission to open File B? Does this email contain a credit card number?
However, AI Copilots operate dynamically at runtime. They use RAG to scan, retrieve, and synthesize fragments of information from thousands of documents in milliseconds.
- The Context Gap: As seen in the February incident, if the AI's retrieval logic has a bug, it simply ignores the metadata tags (labels) that are supposed to block it.
- The Interpretation Gap: As seen with EchoLeak, the AI can be tricked into interpreting malicious data as a command, bypassing static firewalls that only look for malware signatures.
Security experts are increasingly warning that "applying permissions" is no longer sufficient. The AI layer itself requires a dedicated firewall—one that validates not just who is accessing data, but what the AI is doing with it in real-time.
Industry Implications: The Trust Deficit
For CIOs and CISOs, the implications of the "twice in eight months" timeline are severe. The NHS exposure serves as a potent case study in the risks of relying on provider-native security controls for high-stakes environments.
Key Takeaways for Enterprise Leaders:
- Verification over Trust: Organizations can no longer assume that toggling "DLP On" ensures AI compliance. Independent auditing and "Red Teaming" of AI implementations are becoming mandatory.
- Data Sanitation: The "Drafts" and "Sent" folder loophole suggests that data hygiene is critical. Old drafts often contain unfiltered thoughts or sensitive data that, if resurfaced by AI, can cause reputational damage.
- Sovereignty Concerns: With the European Parliament and other government bodies previously pausing Copilot rollouts due to data concerns, these technical failures validate the "sovereign AI" approach, where critical data is physically isolated from general-purpose LLMs.
Microsoft has moved to patch these vulnerabilities, but the frequency of these high-profile failures suggests that the architecture of Enterprise AI is still finding its footing. Until the "blind spot" between static permissions and dynamic AI processing is closed, enterprises remain one update away from their next data exposure.
