Comply with ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Dubbed “Reprompt,” the assault used a URL parameter to steal person knowledge.
- A single click on was sufficient to set off all the assault chain.
- Attackers might pull delicate Copilot knowledge, even after the window closed.
Researchers have revealed a brand new assault that required just one click on to execute, bypassing Microsoft Copilot safety controls and enabling the theft of person knowledge.
Additionally: How to remove Copilot AI from Windows 11 today
Meet Reprompt
On Wednesday, Varonis Menace Labs printed new research documenting Reprompt, a brand new assault methodology that affected Microsoft’s Copilot AI assistant.
Reprompt impacted Microsoft Copilot Private and, based on the group, gave “menace actors an invisible entry level to carry out a knowledge‑exfiltration chain that bypasses enterprise safety controls fully and accesses delicate knowledge with out detection — all from one click on.”
Additionally: AI PCs aren’t selling, and Microsoft’s PC partners are scrambling
No person interplay with Copilot or plugins was required for this assault to set off. As a substitute, victims needed to click on a hyperlink.
After this single click on, Reprompt might circumvent safety controls by abusing the ‘q’ URL parameter to feed a immediate and malicious actions by to Copilot, probably permitting an attacker to ask for knowledge beforehand submitted by the person — together with personally identifiable data (PII).
“The attacker maintains management even when the Copilot chat is closed, permitting the sufferer’s session to be silently exfiltrated with no interplay past that first click on,” the researchers mentioned.
How did Reprompt work?
Reprompt chained three methods collectively:
- Parameter 2 Immediate (P2P injection): By exploiting the ‘q’ URL parameter, an attacker might fill a immediate from a URL and inject crafted, malicious directions that compelled Copilot to carry out actions, together with knowledge exfiltration.
- Double-request: Whereas Copilot had safeguards that prevented direct knowledge exfiltration or leaks, the group discovered that repeating a request for an motion twice would pressure it to be carried out.
- Chain-request: As soon as the preliminary immediate (repeated twice) was executed, the Reprompt assault chain server issued follow-up directions and requests, comparable to calls for for added data.
In keeping with Varonis, this methodology was troublesome to detect as a result of user- and client-side monitoring instruments couldn’t see it, and it bypassed built-in safety mechanisms whereas disguising the info being exfiltrated.
“Copilot leaks the info little by little, permitting the menace to make use of every reply to generate the following malicious instruction,” the group added.
A proof-of-concept (PoC) video demonstration is available.
Microsoft’s response
Reprompt was quietly disclosed to Microsoft on Aug 31, 2025. Microsoft patched the vulnerability previous to public disclosure and confirmed that enterprise customers of Microsoft 365 Copilot weren’t affected.
Additionally: Want Microsoft 365? Just don’t choose Premium – here’s why
“We admire Varonis Menace Labs for responsibly reporting this concern,” a Microsoft spokesperson advised ZDNET. “We rolled out protections that addressed the state of affairs described and are implementing further measures to strengthen safeguards in opposition to related methods as a part of our defense-in-depth strategy.”
The right way to keep protected
AI assistants — and browsers — are comparatively new applied sciences, so hardly every week glided by with no safety concern, design flaw, or vulnerability being found.
Phishing is likely one of the most typical vectors for cyberattacks, and this specific assault required a person to click on a malicious hyperlink. So, your first line of protection was to be cautious in terms of hyperlinks, particularly in case you didn’t belief the supply.
Additionally: Gemini vs. Copilot: I compared the AI tools on 7 everyday tasks, and there’s a clear winner
As with all digital service, you have to be cautious about sharing delicate or private data. For AI assistants like Copilot, you must also test for any uncommon conduct, comparable to suspicious knowledge requests or unusual prompts which will seem.
Varonis really useful that AI distributors and customers do not forget that belief in new applied sciences may very well be exploited and mentioned that “Reprompt represents a broader class of important AI assistant vulnerabilities pushed by exterior enter.”
As such, the group urged that URL and exterior inputs must be handled as untrusted, and so validation and security controls must be applied all through the complete course of chain. As well as, safeguards must be imposed that cut back the danger of immediate chaining and repeated actions, and this could not cease at simply the preliminary immediate.
