The Microsoft 365 Copilot Bug That Read Confidential Emails: What CW1226324 Means for AI Meeting Notes
Published July 03, 2026
- Bug CW1226324 let Microsoft 365 Copilot Chat summarize emails tagged 'Confidential' for three weeks in early 2026, bypassing configured DLP policies.
- Microsoft admitted 'a code issue' was responsible and shipped a worldwide fix in February — but has not disclosed how many tenants were affected.
- Microsoft's own documentation warns that sensitivity labels behave inconsistently across Copilot surfaces like Teams and Copilot Chat.
- The European Parliament and NHS restricted AI features in response; Penn State recommends disabling Recall over similar concerns.
- On-device AI transcription (Basil AI) eliminates this class of failure: audio and transcripts never enter a shared cloud that another service can accidentally read.
Quick answer: No — for three weeks in early 2026, a bug tracked as CW1226324 let Microsoft 365 Copilot Chat summarize emails explicitly labeled 'Confidential' even when data loss prevention (DLP) policies were configured to block automated access. Microsoft patched the flaw in February, but the incident shows that cloud AI assistants routinely see content their own vendor's controls promised to hide — a structural risk that on-device tools like Basil AI avoid entirely.
For three weeks in early 2026, Microsoft 365 Copilot Chat quietly summarized emails that organizations had explicitly labeled 'Confidential' — bypassing the exact data loss prevention (DLP) policies enterprises pay for. Here's what happened, why it matters for meeting AI, and why on-device processing is the only architecture that removes this failure mode.
If your organization runs Microsoft 365 with sensitivity labels and DLP configured, you probably assume that emails marked 'Confidential' are invisible to automated tools. Between January 21 and mid-February 2026, that assumption was wrong. A bug tracked internally as CW1226324 caused Microsoft 365 Copilot Chat's 'work tab' to summarize confidential emails from users' Sent Items and Drafts folders anyway — even when both a sensitivity label and an active DLP policy said no. The story, first broken by BleepingComputer, is a case study in how cloud AI assistants can quietly override the controls that make them 'safe' for regulated industries — and why meeting audio, in particular, belongs on-device.
What actually happened: the CW1226324 timeline
Microsoft first detected the issue on January 21, 2026, and confirmed it publicly through a service alert in February. According to BleepingComputer's reporting on the internal advisory, the flaw affected Copilot Chat's 'work tab' feature and 'incorrectly reads and summarizes emails stored in users' Sent Items and Drafts folders, including messages that carry confidentiality labels explicitly designed to restrict access by automated tools.' Microsoft's own admin notice was blunt: 'The Microsoft 365 Copilot "work tab" Chat is summarizing email messages even though these email messages have a sensitivity label applied and a DLP policy is configured.'
By the time The Register covered the incident on February 18, Microsoft had confirmed the root cause as 'a code issue [that] is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place.' A worldwide configuration update was already rolling out. Microsoft would not, however, say how many tenants were affected — only that the scope 'may change as the investigation continues.'
Microsoft's official position
The company's public statement threaded a careful needle. 'We identified and addressed an issue where Microsoft 365 Copilot Chat could return content from emails labeled confidential authored by a user and stored within their Draft and Sent Items in Outlook desktop,' a spokesperson told Cybernews. 'This did not provide anyone access to information they weren't already authorized to see. While our access controls and data protection policies remained intact, this behavior did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access.'
In plain English: users could only see summaries of emails they had already sent or drafted themselves. Nothing 'leaked' to a third party. But that's not the point. The point, as eSecurity Planet observed, is that 'Copilot analyzed and summarized content that organizations had explicitly marked as restricted and expected to be excluded from automated AI processing.' Compliance programs are built on the assumption that the labels do what they say. For three weeks, they didn't.
Why the DLP bypass matters more than a normal bug
Most cloud bugs are ephemeral. This one exposes a structural weakness in the entire 'cloud AI plus sensitivity label' model. As The Register noted, Microsoft's own documentation states that sensitivity labels behave inconsistently across Copilot surfaces: 'Although content with the configured sensitivity label will be excluded from Microsoft 365 Copilot in the named Office apps, the content remains available to Microsoft 365 Copilot for other scenarios,' such as Teams and Copilot Chat. In other words, the labeling story enterprises tell themselves — 'we tagged it Confidential, so the AI can't see it' — was never uniformly true.
That matters for GDPR compliance. Article 5 of the GDPR requires that personal data be processed lawfully, minimally, and with integrity and confidentiality. A DLP policy that a shared AI can silently bypass is not integrity. It matters for healthcare too: the HIPAA Security Rule requires technical safeguards that actually enforce access controls — not just paperwork claiming they do.
Who reacted: European Parliament, NHS, and university IT
Enterprise IT did not wait for Microsoft's final root-cause analysis. As CX Today reported, the European Parliament's IT department 'blocked built-in AI features on staff devices, citing concerns that AI tools could upload confidential correspondence to the cloud.' In the UK, the National Health Service 'logged the Copilot label bypass issue internally after the alert was reposted on its support portal.' Computing.co.uk added that the Parliament's technical support desk warned staff that 'some AI functions rely on cloud processing to perform tasks such as email summarisation or document drafting' and that this 'may involve transferring data to external servers.'
Universities have taken similar stances against adjacent Microsoft AI features. As GeekWire reported, one university announcement declared that Windows Recall 'introduces substantial and unacceptable security, legality, and privacy challenges,' and administrators were 'strongly urged' to disable it — a warning that reflects growing institutional skepticism about any Microsoft AI feature that touches sensitive content.
How this connects to AI meeting notes
Copilot Chat and Copilot in Teams share the same M365 Graph plumbing. When Copilot generates a meeting summary in Teams, it draws on the same tenant-wide index that governs email retrieval. If a bug in that index can surface labeled emails, it can just as easily surface labeled meeting transcripts. And meeting content is often more sensitive than email — legal strategy, HR investigations, M&A discussions, patient case reviews.
This is the same failure mode plaintiffs are now pressing in court. In Basich v. Microsoft Corporation (2:26-cv-00422, W.D. Wash., filed February 5, 2026), five Illinois residents allege Teams' live transcription creates 'voiceprints' subject to Illinois' Biometric Information Privacy Act — reflecting a growing consensus that cloud-based AI transcription silently processes content in ways users never consented to. We covered the co-liability implications for employers in our BIPA analysis.
Related: the broader plaintiff bar
Wiretapping-style class actions targeting AI transcription are proliferating. As the IAPP observed in late 2025, plaintiffs are creatively repurposing the Electronic Communications Privacy Act and the California Invasion of Privacy Act against AI notetakers because the underlying interception theory maps cleanly onto automated audio processing. The Copilot DLP bug lands on top of that legal environment, not adjacent to it.
Cloud AI vs. on-device AI: the structural comparison
The Copilot incident isn't just a Microsoft problem. It's what happens when any AI assistant sits inside a shared cloud tenant with broad read access. The alternative is on-device processing, where the AI never sees content the user didn't hand to it and no shared service can override local classification.
| Dimension | Cloud AI (Copilot Chat / Otter / Zoom AI) | On-device AI (Basil AI) |
|---|---|---|
| Where audio/text is processed | Microsoft Azure, AWS, or vendor cloud | Your iPhone or Mac (Apple Neural Engine) |
| Effect of a DLP/label bypass bug | All labeled content becomes AI-readable | N/A — no shared cloud index exists |
| Can vendor read your content? | Yes (subject to policy) | No — never leaves device |
| Cross-tenant AI incidents | Possible (see CW1226324) | Structurally impossible |
| Compliance posture | BAA + label enforcement + trust | Data minimization by design |
| Meeting audio uploaded? | Yes | No |
| Retention default | Vendor-controlled | User-controlled, deletable instantly |
The pattern: cloud AI, opaque access, retroactive apologies
CW1226324 is not the first Copilot incident. Security researcher Michael Bargury demonstrated at Black Hat USA 2024 how Copilot Studio bots can exfiltrate sensitive enterprise data, and Cybernews quoted him warning that a combination of 'insecure defaults, over-permissive plugins, and wishful design thinking made data leakage "probable, not just possible."' ImmuniWeb CEO Dr. Ilia Kolochenko told the same outlet that incidents like CW1226324 'will likely surge in 2026, possibly becoming the most frequent type of security incident at both large and small companies around the globe.'
The reason is architectural. Traditional safeguards, Kolochenko explained via Cybernews, 'including Data Loss Prevention systems, were never designed to monitor how AI agents access, interpret, and repackage sensitive data.' Your DLP was built to catch a human forwarding a spreadsheet — not an LLM silently indexing a Sent Items folder.
What competitor policies actually say
If Copilot's controls can quietly misfire, it is worth reading the fine print of the other cloud transcription tools your company might be piloting. Otter.ai's privacy policy grants Otter broad rights to process and retain conversation content for service improvement. Fireflies' privacy policy similarly permits use of meeting data for model improvement and analytics unless enterprise controls are actively configured. Zoom's privacy statement distinguishes 'customer content' from 'service-generated data' — a line reasonable people can disagree about where transcripts and AI summaries land.
None of these policies are inherently malicious. They are the trade-off you make for cloud AI. Bug CW1226324 is what happens when that trade-off breaks silently.
How Basil AI solves this
Basil AI's design assumption is the opposite of Copilot's: your meeting audio never leaves your device. Transcription runs through Apple's Speech Recognition framework on the Apple Neural Engine, which processes audio locally on iPhone 15 Pro and later, iPad Pro, and every M-series Mac. Summaries and action items are generated on-device from the local transcript. Nothing is uploaded, so no shared index exists to bypass and no vendor DLP misconfiguration can expose it.
Concretely, this means:
- No 'sensitivity label' the vendor might one day forget to honor — there is no vendor read path in the first place.
- No cross-service leakage: because Basil AI does not maintain a Graph-style index across your mailbox, calendar, and drives, a bug in one surface cannot expose another.
- No 'we've patched it, please trust us' announcements. If you never upload audio, you don't have to trust a patch.
- Instant deletion: your transcript is a local file. Remove it and it is gone.
For deeper context on how Apple Silicon's Neural Engine makes real-time on-device transcription practical, see our technical deep dive. For a broader look at how bot-free, on-device capture compares to the cloud-mediated model that Copilot, Otter, and Fireflies use, our Granola vs. Basil comparison covers the architectural differences. And if you're evaluating alternatives specifically for confidential workflows, our roundup of offline transcription apps for Mac, iPhone, and iPad in 2026 is a good starting point.
Practical steps if you rely on Copilot today
You don't have to rip out Microsoft 365 to reduce exposure. eSecurity Planet's post-incident checklist is a reasonable baseline: 'Validate that DLP policies and sensitivity labels are properly enforced within Copilot by testing how confidential content is handled across email and document workflows,' restrict Copilot access with role-based controls, 'review and harden Copilot configuration settings,' and 'enable comprehensive logging and integrate Copilot telemetry into SIEM or other monitoring platforms.' But — as CW1226324 demonstrates — testing what a vendor's policy is supposed to do is different from knowing what it is doing at any given moment.
For meetings and confidential conversations specifically, the more durable answer is to move that content off the shared cloud tenant entirely. That is what on-device transcription accomplishes.
The regulatory pressure is building
The EU AI Act's high-risk workplace-monitoring obligations begin biting in August 2026 — a deadline we covered in our EU AI Act analysis. Combined with growing BIPA enforcement in Illinois, tightening HIPAA scrutiny of AI scribes, and the wiretapping class-action wave now targeting Otter, Fireflies, and Abridge, cloud AI incidents like CW1226324 are unlikely to remain 'advisory'-tagged much longer. Boards should assume that the next Copilot-style bug will land inside a regulatory examination.
The bottom line
CW1226324 was, in Microsoft's telling, a bug that has been fixed. In the broader story of enterprise AI, it is a preview. When your AI assistant lives inside a shared cloud tenant with cross-surface read access, the day-to-day security of your most sensitive content depends on the correctness of every configuration boundary in that tenant — and on the vendor noticing when one of them breaks. On-device AI removes that dependency. Basil AI keeps your recordings and transcripts on your Mac and iPhone, where no other service can accidentally index them.
Meeting Notes That Can't Be Leaked by a Cloud Bug
Basil AI records, transcribes, and summarizes 100% on-device. Your meetings never touch Microsoft's servers — or anyone else's.
Frequently Asked Questions
What is Microsoft 365 Copilot bug CW1226324?
CW1226324 is Microsoft's internal tracking ID for a code defect first detected on January 21, 2026, that caused Copilot Chat's 'work tab' to read and summarize emails in users' Sent Items and Drafts folders even when those messages carried a Confidential sensitivity label and were governed by an active DLP policy. Microsoft rolled out a fix in early February 2026.
Did Copilot leak confidential emails to other users?
Not directly. Microsoft's statement to BleepingComputer said the bug 'did not provide anyone access to information they weren't already authorized to see' — the user could only summarize their own drafts and sent items. The compliance failure is that automated AI processing itself was supposed to be blocked by the sensitivity label, and it wasn't. Regulated organizations were still exposed to labeling and logging violations.
How does this affect AI meeting transcription and note-taking?
The same architecture that let Copilot Chat read labeled emails also underpins Copilot's meeting summaries in Teams. When your recordings, transcripts, and derived summaries live in a cloud tenant that a shared AI service can read, a single upstream bug can bypass every classification control you configured. On-device transcription apps that never upload audio remove that class of failure entirely.
Is Microsoft Copilot HIPAA and GDPR compliant?
Microsoft signs Business Associate Agreements for Microsoft 365 and offers EU Data Boundary controls, but incidents like CW1226324 highlight that compliance paperwork does not guarantee technical enforcement. GDPR Article 5 requires data minimization and integrity, and HIPAA requires access safeguards; a bug that reads confidential content despite active DLP policies undermines those requirements even if no data ever leaves the tenant.
How do I stop AI assistants from reading sensitive emails?
Audit Copilot's tenant permissions, verify sensitivity labels are enforced across every Copilot surface (not just Word and Excel), disable Copilot Chat for regulated groups, and integrate Copilot telemetry into SIEM. For meeting content specifically, the most robust control is to keep audio and transcripts off the cloud — use an on-device tool like Basil AI so no shared service can index them.
Which organizations disabled Copilot after this bug?
The European Parliament's IT department temporarily blocked built-in AI features on lawmakers' devices in February 2026, citing concerns about cloud transfer of confidential correspondence. The UK's National Health Service logged the Copilot label bypass internally, and Penn State's IT team continues to urge Windows administrators to disable adjacent AI features like Recall over 'substantial and unacceptable' privacy risks.