This post is also available in:
עברית (Hebrew)
As organizations integrate AI assistants into daily workflows, many assume that existing security controls will extend seamlessly to these tools. Data Loss Prevention (DLP) labels and confidentiality tags are designed to restrict automated access to sensitive material. However, a recent incident has shown that those safeguards may not always function as intended when AI systems are involved.
Microsoft has confirmed that a flaw in its Microsoft 365 Copilot allowed the assistant to access and summarize emails marked as “confidential”. The issue, identified in late January 2026, affected the “work tab” feature, which can generate summaries from a user’s Sent and Draft folders in Outlook. Although messages were protected by confidentiality labels intended to block automated tools, the AI was still able to process their contents.
According to Cybernews, the problem stemmed from unintended behavior in the chat rather than a breakdown of core access controls. Once detected, the issue was addressed and a configuration update was deployed globally to enterprise customers. The company stated that while broader data protection policies remained in place, the assistant’s handling of protected emails did not align with the intended design.
The incident comes amid rapid expansion of AI-powered features across productivity platforms. The assistant is now integrated into applications such as Word, Excel, PowerPoint and Outlook, and organizations can build customized AI agents trained on internal data. These capabilities are designed to streamline workflows, automate document drafting and summarize communications.
Security researchers, however, have repeatedly highlighted the risks associated with embedding large language models into enterprise environments. Earlier demonstrations showed that AI assistants could be manipulated to exfiltrate sensitive information through crafted prompts or malicious links. Experts warn that traditional DLP systems were not originally designed to monitor how AI agents interpret and repackage data.
For defense organizations, critical infrastructure operators and government agencies, the implications are significant; email systems often contain operational details, procurement data and classified or sensitive discussions. An AI tool that inadvertently bypasses labeling policies could introduce a new vector for data exposure, even without an external breach.
As AI assistants become standard workplace tools, this incident underscores the need for tighter governance, continuous testing and clearer visibility into how automated systems interact with protected information.
