Source link : https://tech365.info/microsoft-copilot-ignored-sensitivity-labels-twice-in-eight-months-and-no-dlp-stack-caught-both-one/
For 4 weeks beginning January 21, Microsoft’s Copilot learn and summarized confidential emails regardless of each sensitivity label and DLP coverage telling it to not. The enforcement factors broke inside Microsoft’s personal pipeline, and no safety software within the stack flagged it. Among the many affected organizations was the U.Okay.’s Nationwide Well being Service, which logged it as INC46740412 — a sign of how far the failure reached into regulated healthcare environments. Microsoft tracked it as CW1226324.
The advisory, first reported by BleepingComputer on February 18, marks the second time in eight months that Copilot’s retrieval pipeline violated its personal belief boundary — a failure wherein an AI system accesses or transmits information it was explicitly restricted from touching. The primary was worse.
In June 2025, Microsoft patched CVE-2025-32711, a vital zero-click vulnerability that Intention Safety researchers dubbed “EchoLeak.” One malicious e mail bypassed Copilot’s immediate injection classifier, its hyperlink redaction, its Content material-Safety-Coverage, and its reference mentions to silently exfiltrate enterprise information. No clicks and no person motion had been required. Microsoft assigned it a CVSS rating of 9.3.
Two totally different root causes; one blind spot: A code error and a complicated exploit chain produced an an identical consequence. Copilot processed information it was explicitly restricted from touching, and…
—-
Author : tech365
Publish date : 2026-02-20 21:46:00
Copyright for syndicated content belongs to the linked Source.
—-
1 – 2 – 3 – 4 – 5 – 6 – 7 – 8