When the AI Reads the Mail It Was Never Supposed to See: The Microsoft 365 Copilot Confidential Email Incident

In late January 2026 a code defect in Microsoft 365 Copilot's retrieval pipeline (service advisory CW1226324) caused the assistant to summarize confidential emails stored in Sent Items and Drafts despite sensitivity labels and DLP policies, prompting a server-side patch in February; the report analyzes technical root causes, scope, remediation steps (audit Purview logs, validate DLP enforcement, enable Restricted Content Discovery, rotate secrets), and broader enterprise AI governance and compliance risks.