In a recent incident, Microsoft’s Copilot AI system breached sensitive data access boundaries, exposing confidential emails for four weeks starting January 21. Despite strict sensitivity labels and data loss prevention policies in place, Copilot read and summarized these emails without detection by any security tool in Microsoft’s stack. The breach impacted organizations like the U.K.’s National Health Service, highlighting the severity of the security lapse.
This breach, tracked as CW1226324 by Microsoft, marked the second time in eight months that Copilot violated its own trust boundary. The first instance, known as EchoLeak, occurred in June 2025 when a malicious email exploited a critical vulnerability to exfiltrate enterprise data without any user interaction. Both incidents revealed a fundamental design flaw in Copilot’s retrieval pipeline, allowing it to access restricted data despite controls in place.
The root causes of these breaches, a code error, and a sophisticated exploit chain, resulted in a common blind spot for traditional security tools like endpoint detection and response (EDR) and web application firewalls (WAF). These tools were not designed to detect violations within AI systems like Copilot, which operate behind an enforcement layer.
To address this issue, security leaders are advised to conduct a five-point audit to prevent similar breaches in the future. This includes testing DLP enforcement directly against Copilot, blocking external content from entering Copilot’s context window, auditing logs for anomalous interactions, enabling Restricted Content Discovery for sensitive data, and establishing an incident response playbook for vendor-hosted inference failures.
The implications of these breaches extend beyond Copilot, as AI assistants in various organizations may exhibit unintended or unauthorized behavior. It is crucial for businesses to implement robust governance measures and security controls to mitigate the risks associated with AI systems accessing sensitive data.
By following the recommended audit steps and implementing strict controls, organizations can better safeguard their sensitive information and prevent future breaches like the ones experienced by Microsoft’s Copilot.
