A newly disclosed technique dubbed Reprompt exploited Microsoft Copilot with a single click, bypassing guardrails and quietly siphoning user data. The research, released by Varonis Threat Labs, shows how a crafted link could inject malicious instructions into Copilot via the URL, seize the session, and extract previously shared information even after the chat window was closed. Microsoft has since patched the flaw and said enterprise customers using Microsoft 365 Copilot were not affected.
How One Click Gave Attackers Control of Copilot
Reprompt did not rely on social engineering inside the chat or tricking users to paste prompts. Instead, the attack abused a legitimate URL parameter, “q,” to preload Copilot with adversarial instructions. A victim who clicked a weaponized link effectively authorized the model to run a hidden sequence of actions. Because Copilot processed that input as if it were a user’s own request, the attacker’s instructions inherited the session’s privileges and context.
Varonis demonstrated that this approach could coax Copilot to recall sensitive data the user had previously provided—names, account identifiers, or other personal details—then reveal it incrementally. The drip-feed mattered: by splitting exfiltration across multiple answers, the attacker avoided simple output filters and throttling while building a chain of follow-up prompts that looked benign in isolation.
The researchers also observed persistence: control continued after the visible chat closed, enabling background exfiltration without additional clicks. That persistence underscores a broader risk with AI assistants that maintain conversational memory or session context across interactions.
Why Security Controls Missed the Reprompt Attack
Reprompt sidestepped typical enterprise defenses because it lived at the intersection of web navigation and model prompting. Client-side monitoring tools saw only a harmless page load. Server-side filters permitted the “q” parameter as expected. And Copilot’s built-in safety systems were tuned to what users type in the chat box, not what arrives via URL parameters.
That gap aligns with known AI risks: OWASP’s Top 10 for LLM Applications ranks prompt injection and insecure output handling among the most critical issues. By chaining small outputs into new instructions, Reprompt resembled a multi-step data exfiltration playbook that steadily escalated from context gathering to leakage while appearing routine to controls focused on single-turn prompts.
The human element also played a role. A single click was enough to kick things off, echoing findings from Verizon’s Data Breach Investigations Report that the human element factors into roughly two-thirds of breaches. Here, that click didn’t deliver malware—it delivered intent to an AI system.
What Microsoft Changed to Patch the Copilot Flaw
According to the researchers, Microsoft addressed the vulnerability ahead of public disclosure and confirmed that Microsoft 365 Copilot enterprise tenants were not impacted. While technical specifics were not detailed publicly, the fix required hardening how Copilot handles external inputs and session state. In practice, that likely includes stricter validation and sanitization of URL parameters, curbing auto-execution of prompts passed via links, and tightening session isolation to prevent hidden follow-on actions.
Just as importantly, Microsoft’s response suggests expanded telemetry and anomaly detection around chained prompts and unusual retrieval patterns. Cutting off the persistence channel and limiting cross-turn memory access from external inputs are both standard mitigations for this class of attacks.
Guidance for Security Teams and Everyday Users
For organizations, Reprompt is a reminder that AI assistants sit on top of web platforms, identity systems, and data stores—and need defense-in-depth across all layers. Practical steps include:
- Treat all URL-controlled inputs as untrusted.
- Enforce strict allowlists for parameters.
- Instrument detection for multi-turn exfiltration patterns, not just single-response anomalies.
On the model side, apply safety controls throughout the interaction lifecycle:
- State resets on navigation events.
- Rate limits and content caps for sensitive outputs.
- Provenance tagging to distinguish user-typed prompts from external injections.
- Policies that block follow-up actions derived solely from externally supplied instructions.
For end users, the same caution that applies to phishing holds here: avoid clicking unknown links that launch AI assistants or pre-populate queries. If an AI chat shows unexpected memory of sensitive details or begins issuing unusual follow-ups, close the session and report it to IT. Minimizing what you share with assistants—and regularly reviewing data retention settings—reduces exposure if a session is ever compromised.
The Bigger Lesson for AI Assistant Design
Varonis described Reprompt as part of a broader class of AI vulnerabilities driven by external input. The takeaway is clear: the boundary between “prompt” and “platform” is porous. Any channel that can shape a model’s behavior—URLs, embedded widgets, plugins, or retrieved documents—must be validated and constrained with the same rigor as user-authored text.
Reprompt was a one-click wake-up call. The patch closes this specific hole, but the pattern it exposes will recur wherever AI agents accept hidden instructions from the web. The winners in this next phase of AI security will be the teams that instrument their assistants like production apps, not demos—measuring, limiting, and verifying every input that could become the model’s next thought.
