A bug in Microsoft 365 Copilot’s “Work Tab” chat feature has been summarizing the contents of confidential emails that should be beyond its reach, with the AI tool ignoring the privacy labels of emails sitting in certain folders.
Specifically, emails that reside in the “sent” and “draft” folders may be included when Copilot trawls through inboxes to create summaries. A confidentiality label can be applied by users to emails that they want to be skipped over by the AI tool during this process, but a coding bug appears to cause it to ignore labels of the contents of these Outlook desktop folders. Microsoft has since issued a configuration update to fix the issue, but confidential emails from prior to February 20 of this year may have been subject to the bug.
Microsoft claims AI tool’s error is a “non-issue”
It’s unclear exactly when the AI tool began summarizing confidential emails, but Copilot Chat has gradually made the suite of AI-driven features available to business customers in 365 since September 2025. The issue was first brought to public attention by Bleeping Computer on February 18. Other news reports indicate Microsoft may have been aware of the issue with the confidential emails as early as January, but did not issue a patch until very recently.
Microsoft has downplayed the issue in official communications, stating that the summaries of the confidential emails were not exposed to anyone that did not already have access to the messages in question. There is always some concern about exactly where information goes once AI tools have ingested it, however. Microsoft has said that it does not use 365 Copilot interactions as training data, and that it makes additional use of Azure OpenAI services that do not cache user content or review it for abuse. However, it does say that it stores prompts and responses internally in an encrypted form, including “citations to any information used to ground Copilot’s response.” Admins are able to view and manage this stored data via Content search or Microsoft Purview.
Issue with confidential emails among numerous recent Microsoft lapses
The problem with the confidential emails may indeed be relatively minor if the data is not being taken in and held somewhere with the possibility of a breach or random AI regurgitation somewhere else. However, it is one among a string of recent red flags for Microsoft on the AI privacy and security front. The company recently reversed course on its planned “AI everywhere” strategy to integrate Copilot into as much of Windows 11 as possible, only three months after Windows president Pavan Davuluri announced plans to turn the controversial operating system version into the first “agentic OS.” The company has not laid out a full roadmap as of yet, but is reportedly looking for places to trim Copilot buttons when they do not make sense (such as being part of Notepad, which recently experienced its own highly-publicized security flaw involving malicious markdown links of the sort that AI might autonomously opt to follow).
These issues are also not limited to Microsoft. Failures with other AI tools are giving developers pause and causing some re-evaluation of strategy. One recent example comes from Meta, where head of AI safety and alignment Summer Yue took to social media to document popular new autonomous AI agent OpenClaw shredding her inbox while ignoring repeated commands to stop deleting emails. This comes not long after the announcement that OpenClaw has been acquired by OpenAI and will be integrated into its ecosystem going forward. Another story that has made the rounds on social media is that of an OpenClaw agent that gave away a large chunk of the owner’s cryptocurrency to a random person that alleged damages and demanded compensation. A number of executives of tech firms, including some from Meta and Valere, have banned employees from using OpenClaw at work given its unpredictability and raft of early security issues.
Despite the current massive boom in agentic AI projects, a late 2025 research paper from Gartner predicted that at least 40% of these will be abandoned by 2027 due to a combination of unsustainable costs, inability to establish long-term ROI for investors, and poor governance. The AI tools that survive will likely be those that very clearly define what they do to solve a specific business problem, but they will also need to establish security and stability (not deleting or exposing confidential emails being an excellent first step). And this is before getting into the increasingly frequent use of “vibe coding” to gain a “first mover” advantage without proper regard for security fundamentals, something that quickly sunk AI social media phenomenon Moltbook.
Melissa Ruzzi, director of AI at AppOmni, notes that the long process of training and improving employees in things like phishing email detection will now likely have to be repeated for AI tools: “This issue shows how important is to pay extra attention to how data is treated before it’s passed to AI, and also how metadata present in the data is handled by the AI. Without proper due diligence on the data handling by the AI, sensitive information may not be treated with the rigor it should. One important point to always keep in mind is the volume and complexity of data that AI tools are dealing with, and the fact that LLMs are inherently non-deterministic, meaning they can produce different outputs for the exact same input. So even without a vulnerability like this, just because a user places a confidential label on data when inputting it into the AI chat doesn’t always mean the AI will follow that instruction. Unfortunately, sometimes this is not given proper attention, which can cause issues once customer adoption increases. To mitigate these threats, the first important action is to make sure employees are trained on best practices for using AI. Give them guidelines on what they should pay attention to, empowering them to not only properly use AI, but also raise concerns as issues arise. This can help detect problems early. Second, every organization that uses SaaS apps such as M365 needs AI monitoring in place, given the increased adoption of AI features embedded within SaaS apps.”
