Microsoft has confirmed that an Office bug allowed Copilot Chat to process customers' confidential emails for weeks without permission. The issue matters because it involved messages that had a confidential label applied, and it occurred even where customers had data loss prevention policies intended to stop sensitive information from being ingested into Microsoft's large language model.
What Microsoft confirmed
The bug affected Copilot Chat, the AI-powered chat feature available to paying Microsoft 365 customers inside Office software products including Word, Excel, and PowerPoint. According to Microsoft, the problem meant that draft and sent email messages with a confidential label applied were incorrectly processed by Microsoft 365 Copilot chat.
Microsoft said admins can track the bug as CW1226324. That tracking detail is important for organizations because it gives administrators a specific reference point when reviewing whether their systems were exposed to the issue.
The company also said it began rolling out a fix for the bug earlier in February. When asked, a Microsoft spokesperson would not say how many customers are affected by the bug.
Why the Office bug raises concern
The central issue is not simply that Copilot Chat could summarize email. The concern is that it could read and outline the contents of emails that customers had tried to keep out of Microsoft's large language model through data loss prevention policies.
Those policies are meant to create a boundary around sensitive information. In this case, the source article says the bug allowed Copilot Chat to read and outline the contents of emails since January, even when those policies were in place.
For customers, that creates a gap between expected controls and actual behavior. If a message has a confidential label applied, users and administrators may reasonably expect that label to shape how the information is handled. Microsoft said the messages were instead being incorrectly processed by Microsoft 365 Copilot chat.
What customers know and do not know
The known facts are narrow but significant. Microsoft confirmed the bug, identified the admin-traceable reference, described the type of emails involved, and said a fix had started rolling out earlier in February.
Several details remain unknown from the source article. Microsoft would not say how many customers are affected. The source also does not provide a customer list, a full timeline beyond January and earlier in February, or details about what organizations may have seen in their own environments.
Based on the information available, the clearest customer takeaway is that administrators should treat CW1226324 as the reference point for the issue. The source specifically says the bug is trackable by admins under that identifier.
- Product area: Copilot Chat in Microsoft 365 Office software products.
- Email types: draft and sent email messages.
- Label involved: messages with a confidential label applied.
- Policy concern: data loss prevention policies did not prevent the incorrect processing described by Microsoft.
- Fix status: Microsoft said it began rolling out a fix earlier in February.
The broader AI workplace issue
The report lands in a larger moment of concern about AI tools inside work systems. Earlier this week, the European Parliament's IT department told lawmakers that it blocked the built-in AI features on their work-issued devices.
The stated concern was that the AI tools could upload potentially confidential correspondence to the cloud. That concern closely echoes the Microsoft bug's core problem: workplace AI features can interact with sensitive communication, and organizations need confidence that controls behave as expected.
The European Parliament detail does not prove anything about Microsoft customers affected by this bug. It does show that institutional IT teams are actively weighing the risks of built-in AI features when those features may handle confidential correspondence.
What the incident means for Copilot trust
Copilot Chat is designed to bring AI assistance directly into Office software products used by paying Microsoft 365 customers. That placement makes it useful, but it also puts the feature close to documents, spreadsheets, presentations, and email workflows where sensitive information may appear.
This bug shows why AI access controls need to be reliable, visible, and understandable to administrators. If a confidential label and data loss prevention policies are expected to restrict processing, organizations need those protections to work consistently.
Microsoft's fix rollout addresses the bug, but the unanswered customer impact question remains important. Since the spokesperson would not say how many customers are affected, the public record from the source article does not establish the size of the issue.
For now, the confirmed facts are enough to make the incident notable: a Microsoft Office bug allowed Copilot Chat to process confidential draft and sent emails without permission, the issue had been present since January, and Microsoft said a fix began rolling out earlier in February.