Microsoft Copilot

Important: there are at least three different Copilots

Microsoft uses the Copilot name for several products that have different defaults, different pricing, and very different privacy postures. This is even more confusing than the two-Geminis problem.

Consumer Copilot (copilot.microsoft.com, Copilot in Windows when signed in with a personal Microsoft Account, the Copilot mobile app). Free or Copilot Pro at $20/month. Trains on conversations by default if you are signed in.

Microsoft 365 Copilot (the enterprise add-on for Microsoft 365 Business and Enterprise plans, $30/user/month). Tenant-scoped. Never trains on your data. Inherits your existing Microsoft 365 permissions.

GitHub Copilot (the code-completion product). Separate product, separate billing, separate policy. See the GitHub Copilot vendor profile for the full picture — and note the policy flipped from opt-in to opt-out on April 24, 2026 for Free/Pro/Pro+ tiers.

This profile covers the first two. GitHub Copilot has its own profile.

Plain-English risk rating: 3 of 5 (Consumer Copilot) / 2 of 5 (Microsoft 365 Copilot)

We have split this profile because the products are different enough to warrant separate ratings.

Consumer Copilot sits at 3 — same family as ChatGPT consumer, Claude consumer, and consumer Gemini. Training is on by default for signed-in users. Opt-out is available and reasonably easy to find.

Microsoft 365 Copilot sits at 2 (lower risk than Workspace Gemini at 1 — see "Why not 1" below). The contractual no-training and tenant-isolation defaults are genuinely strong. What pulls it from 1 to 2 is the EchoLeak vulnerability (CVE-2025-32711) disclosed in June 2025 — a zero-click prompt injection that allowed sensitive enterprise data exfiltration with no user interaction. Microsoft patched it, but the broader class of indirect prompt injection vulnerabilities in agentic AI is structurally unsolved. Microsoft 365 Copilot has a larger agentic surface than Workspace Gemini, which proportionally widens the attack surface.

Recommended for

  • Sole proprietor on a personal Microsoft Account: Turn off the training setting in Copilot privacy controls. Or stop using Consumer Copilot for client work entirely and move to Microsoft 365 Copilot through a business account
  • Small team (2-10 people) already on Microsoft 365 Business: Microsoft 365 Copilot at $30/user/month if the productivity uplift justifies the cost. Run a permissions audit first — see "Critical pre-deployment warning" below
  • Regulated industry: Microsoft 365 Copilot with EU Data Boundary or GCC tenant residence, plus Microsoft Purview AI Hub for monitoring, plus BYOK encryption for Restricted-tier data
  • The honest answer for most 1-10 employee businesses: If you are already on Microsoft 365 Business Standard or higher, Microsoft 365 Copilot is a strong choice on the privacy axis — but only after you have done a SharePoint and OneDrive permissions cleanup. The product is safe; the permission gaps in your tenant are the actual risk

Critical pre-deployment warning (Microsoft 365 Copilot)

This is the most important sentence in this profile: Microsoft 365 Copilot inherits your existing Microsoft 365 permission model exactly as it stands.

In practice, that means: if your SharePoint sites have accumulated overly permissive sharing settings over the past 5-15 years (which is true of virtually every Microsoft 365 tenant), Copilot will surface content from those sites in responses. Users will see results from documents they technically have access to but have never visited and were never meant to see. There are no examples on record of Microsoft 365 Copilot bypassing permissions — but there are many examples of organisations discovering, after Copilot rollout, that their permissions were much more permissive than anyone realised.

Day-1 mitigation is Microsoft's Restricted Search feature, which can be enabled at the tenant level to limit Copilot grounding to a curated set of sources. Long-term fix is a SharePoint/OneDrive permissions audit. Both should happen before, not after, Copilot deployment.

Data retention default

Consumer Copilot:

  • Conversations retained per the Microsoft consumer privacy policy
  • Training enabled by default for signed-in users
  • Opt-out at: copilot.microsoft.com → Settings → Privacy → toggle training off
  • Can opt out of training while keeping personalisation (per Microsoft's documented FAQ)

Microsoft 365 Copilot:

  • Prompts and responses stored within the user's mailbox (logged in Microsoft 365 audit trail)
  • Subject to your existing Microsoft Purview retention policies — admins control
  • Processed entirely within the Microsoft 365 service boundary
  • Tenant-isolated; no cross-tenant data flow
  • EU Data Boundary supported for EU tenants

Training opt-out

Consumer Copilot — TRAINING IS ON BY DEFAULT for signed-in users. Same trap as the other consumer-tier products.

If you are NOT signed in with a Microsoft Account or other third-party authentication, Microsoft does not train on your conversations. (Microsoft's own FAQ confirms this — being signed out is functionally an opt-out at the cost of losing chat history and personalisation.)

Microsoft 365 Copilot — TRAINING IS CONTRACTUALLY EXCLUDED BY DEFAULT. Tenant data is never used to train Microsoft's foundation models. This is contractually guaranteed via the Microsoft 365 Data Protection Addendum. No user-side toggle needed.

Note: there are optional tenant admin settings to share data with Microsoft for product improvement (e.g., the Dynamics 365 and Power Platform Copilot features have an "optional data sharing" flag). These are opt-in by tenant admins and off by default.

Zero Data Retention availability

  • Not applicable in the same form as ChatGPT/Claude API ZDR. Microsoft 365 Copilot's tenant-isolation model is structurally different — your data is retained, but it stays inside your Microsoft 365 boundary and is not used for training or accessible to Microsoft for any purpose other than serving you
  • For Azure OpenAI Service customers building applications, abuse-monitoring data retention is configurable, including options to opt out of human review for qualified customers with Enterprise Agreements

Plan tiers and pricing (as of early 2026)

TierPrice (USD)Training on your data?Suitable for
Copilot (free, signed-out)$0No (because signed-out)Quick questions, public info
Copilot (free, signed-in)$0Yes, unless opted outPersonal use
Copilot Pro$20/monthYes, unless opted outPersonal use; not for client work without opt-out
Microsoft 365 Copilot$30/user/month (add-on to M365 Business/Enterprise)No — contractually excludedTeams already on Microsoft 365
Microsoft 365 Copilot ChatIncluded with eligible Microsoft 365 plansNo — contractually excludedAll eligible Microsoft 365 users
Azure OpenAI ServicePay-per-tokenNo, by defaultDevelopers building applications

Notable: Microsoft 365 Copilot Chat (the conversational interface that uses web grounding rather than tenant grounding) was rolled into eligible Microsoft 365 plans during 2025 as a baseline feature. This is a meaningful free upgrade for Microsoft 365 Business and Enterprise subscribers.

Jurisdiction

  • Primary processor: Microsoft Corporation, Redmond, Washington, USA
  • Cloud infrastructure: Microsoft Azure
  • Microsoft 365 Copilot processes prompts and responses within the Microsoft 365 service boundary in the geographic region associated with the tenant
  • EU Data Boundary: for qualifying customers, Microsoft 365 Copilot prompts and responses are processed within the EU
  • Azure OpenAI inference runs within the same regional boundary as your tenant — your data is not transferred to OpenAI

Breach history (public incidents)

June 2025 — EchoLeak (CVE-2025-32711) — the most significant AI security vulnerability disclosed to date

Aim Security researchers disclosed EchoLeak in June 2025, a zero-click indirect prompt injection vulnerability in Microsoft 365 Copilot. CVSS severity score 9.3.

How it worked: An attacker sent a benign-looking email to a target employee. The email contained hidden prompt-injection instructions (formatted to evade Copilot's prompt classifiers). The user did not need to open the email, click any link, or take any action — Copilot's normal retrieval engine would ingest the email as context when the user later asked Copilot something unrelated (for example, "summarise our quarterly report"). At that point, the hidden instructions in the attacker's email would execute as if they were part of Copilot's prompt, instructing Copilot to extract sensitive data from the user's emails, documents, and Teams chats and exfiltrate it via a Microsoft Teams asynchronous preview API (an allowed domain under Copilot's content security policy).

The attack required no user interaction, left no obvious trace in security logs, and could exfiltrate arbitrary sensitive data from anywhere the targeted user had access. Aim Security reported the vulnerability to Microsoft in January 2025 via responsible disclosure; Microsoft deployed a server-side fix in May 2025 (no user action required) and publicly disclosed the vulnerability in June 2025 with the CVE assignment. Affected builds: 2024.10.15 through 2025.01.10.

Microsoft's specific patch closed EchoLeak, but the broader class of indirect prompt injection vulnerabilities is structurally unsolved across the industry — NIST has described indirect prompt injection as "generative AI's greatest security flaw" and OWASP ranks it as the #1 threat in its 2025 LLM Top 10. Expect more EchoLeak-class disclosures over time.

Sources: Aim Security disclosure (January 2025 private, June 2025 public); Microsoft Security Response Center; CVE-2025-32711 NVD entry; Sentra analysis; Information Security Media Group, 2025-06-16

Note on oversharing incidents: Microsoft 365 Copilot has been involved in multiple publicly-discussed (and many more privately-discussed) cases where the product surfaced sensitive content to employees who technically had access but should not have seen it. These are not breaches in the security sense — the permissions allowed the access — but they are real data exposure events that frequently trigger emergency permissions remediation projects. EPC Group and other Microsoft consulting partners have documented the pattern extensively. No CVE is assigned because the underlying issue is customer permission configuration, not a product vulnerability.

Note on the Microsoft 365 platform more broadly: The Microsoft 365 platform itself has a substantial breach history that affects Copilot indirectly (since Copilot inherits the platform's security posture). Notable incidents include the July 2023 Storm-0558 incident (China-linked threat actor accessed Outlook email accounts via stolen Microsoft signing key) and the January 2024 Midnight Blizzard (Russian SVR-linked) compromise of Microsoft corporate email accounts. These pre-date Copilot's wide deployment but represent the threat baseline for any data accessible via Microsoft 365.

What this means in plain English for SMB owners

Three honest takeaways:

  1. If you are already paying for Microsoft 365 Business and you can justify another $30/user/month, Microsoft 365 Copilot is the most enterprise-grade AI option in this database that does not require a custom enterprise sales process. The contractual defaults are strong. The tenant-isolation model is real. The integration with your existing identity and permissions is genuinely valuable.
  1. Before you turn it on, fix your SharePoint and OneDrive permissions. Every Microsoft 365 tenant we have seen has overshare problems that nobody discovered until Copilot started surfacing the documents in responses. Allow time and budget for a permissions audit. Microsoft's Restricted Search feature is the day-1 fix; permissions cleanup is the long-term fix.
  1. EchoLeak is the canary in the coal mine. A nine-point-three-severity vulnerability that exfiltrated enterprise data with zero clicks is not a one-off. The broader class of indirect prompt injection vulnerabilities affects every AI assistant that reads user data — Microsoft 365 Copilot, Workspace Gemini, Notion AI, Slack AI, Zoom AI Companion, all of them. Microsoft has invested heavily in prompt-injection mitigations (Microsoft Purview DLP can detect injection patterns, Defender for Cloud Apps monitors for suspicious prompts) but the structural problem is unsolved. Plan for the next EchoLeak.

Sources

  • Microsoft Privacy FAQ for Copilot: https://support.microsoft.com/en-us/topic/privacy-faq-for-microsoft-copilot-27b3a435-8dc9-4b55-9a4b-58eeb9647a7f (verified 2026-05-22)
  • Microsoft Learn: Enterprise data protection in Microsoft 365 Copilot: https://learn.microsoft.com/en-us/microsoft-365/copilot/enterprise-data-protection (verified 2026-05-22)
  • Microsoft Learn: Data, Privacy, and Security for Microsoft 365 Copilot: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy (March 2026)
  • Microsoft Learn: Copilot Chat Privacy and Protections: https://learn.microsoft.com/en-us/copilot/privacy-and-protections (March 2026)
  • Microsoft Q&A: Copilot Free vs Pro data privacy distinction (May 2025)
  • EPC Group: Microsoft 365 Copilot Security & Data Protection Guide (April 2026)
  • Avantiico: Is M365 Copilot safe for businesses (March 2026)
  • Aim Security: Aim Labs EchoLeak Microsoft 365 Copilot Vulnerability disclosure (June 2025)
  • Information Security Media Group: Copilot AI Bug Could Leak Sensitive Data (2025-06-16)
  • CovertSwarm: EchoLeak analysis (July 2025)
  • Sentra: EchoLeak (CVE-2025-32711) — what the Copilot prompt injection vulnerability means (May 2026)
  • Rescana: EchoLeak in-depth analysis (June 2025)
  • Beyond Innovation Substack: No Clicks, No Trace, Still Out (2025)
  • AAAI paper: EchoLeak first real-world zero-click prompt injection exploit
  • AICreative blog: Microsoft Copilot Pro features update (January 2026)

Related on AI Leakage