Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot

Reprompt attack Microsoft Copilot security AI security prompt injection cybersecurity vulnerability
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
January 16, 2026
2 min read
Single-Click 'Reprompt' Attack Steals Data from Microsoft Copilot

TL;DR

  • Cybersecurity researchers have identified a 'Reprompt' attack that exploits Microsoft Copilot Personal to steal sensitive data via a single-click malicious link. This attack bypasses security measures by injecting hidden instructions and performing chained requests. While Microsoft has patched the vulnerability, users should remain cautious of links and review prompts.

Single-Click Attack Exploits Microsoft Copilot

Cybersecurity researchers at Varonis have discovered a new attack, dubbed "Reprompt," that can steal sensitive information from Microsoft's Copilot with a single click. This attack bypasses standard security protections and requires no malicious software or plugins. The vulnerability affects Microsoft Copilot Personal. Microsoft has addressed the issue after it was responsibly disclosed.

Reprompt

Image courtesy of Varonis

How the Reprompt Attack Works

Reprompt leverages how Copilot Personal processes web links with pre-filled prompts. Attackers embed hidden instructions in these links, taking control of a Copilot session upon opening. The attack occurs in three stages:

  1. Parameter 2 Prompt (P2P injection): Exploits the 'q' URL parameter to inject malicious instructions. Varonis Threat Labs found that the ‘q’ URL parameter is used to fill the prompt directly from a URL.
  2. Double-request: Bypasses safety checks by repeating a request for an action twice.
  3. Chain-request: Issues commands remotely via the attacker's server.

According to ZDNET, once the initial prompt (repeated twice) was executed, the Reprompt attack chain server issued follow-up instructions and requests, such as demands for additional information.

Blog_VTL-Reprompt_Diagram_202601_V3

Image courtesy of Varonis

Silent Data Extraction

Attackers can maintain control even after the user closes the Copilot chat window. Instructions are delivered via the attacker's server, making detection difficult. There is effectively no limit to the data that can be exfiltrated. Each response from Copilot generates the next malicious instruction. This highlights the risks of prompt injection attacks.

Microsoft's Response and User Safety Measures

Microsoft patched the vulnerability after it was disclosed on August 31, 2025. Enterprise users of Microsoft 365 Copilot were not affected.

To stay safe, users should:

  • Be cautious when clicking links that open AI tools.
  • Review automatically filled prompts before running them.
  • Close sessions if an AI assistant behaves unexpectedly.

Varonis advises AI vendors to treat all external inputs as untrusted and ensure security checks persist across multiple interactions.

disable_copilot

Image courtesy of Malwarebytes

Gopher Security's AI-Powered Zero-Trust Architecture

As threats targeting AI platforms grow, robust security measures are crucial. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Gopher Security ensures that all external inputs are treated as untrusted, applying validation and safety controls throughout the entire execution flow. Our Zero-Trust approach mandates continuous verification, minimizing the risk of unauthorized data exfiltration and prompt injection attacks.

Enhance your organization's cybersecurity posture with Gopher Security's AI-powered Zero-Trust solutions. Contact us today to learn more.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

NIST Standards Drive 2026 Mandates for Securing AI Infrastructure and Model Context Protocol Deployments
NIST AI Risk Management Framework

NIST Standards Drive 2026 Mandates for Securing AI Infrastructure and Model Context Protocol Deployments

Prepare for 2026 NIST AI mandates. Learn how to secure autonomous agents and Model Context Protocol (MCP) deployments against evolving enterprise security threats.

By Alan V Gutnov June 11, 2026 6 min read
common.read_full_article
Active Directory Certificate Services Now Supports Post-Quantum Cryptography for Windows Environments
Post-Quantum Cryptography AD CS

Active Directory Certificate Services Now Supports Post-Quantum Cryptography for Windows Environments

Microsoft adds Post-Quantum Cryptography (PQC) to AD CS. Learn how ML-DSA and hybrid key exchanges protect Windows environments against Harvest Now, Decrypt Later.

By Edward Zhou June 12, 2026 4 min read
common.read_full_article
Enterprises Face 2026 Deadline for NIST-Compliant Post-Quantum Cryptography Migration and Infrastructure Readiness
NIST post-quantum cryptography standards 2026

Enterprises Face 2026 Deadline for NIST-Compliant Post-Quantum Cryptography Migration and Infrastructure Readiness

Is your enterprise ready for the 2026 NIST PQC deadline? Learn how to mitigate Harvest Now, Decrypt Later threats and update your infrastructure to quantum-resistant standards.

By Brandon Woo June 10, 2026 7 min read
common.read_full_article
Cloud and Zero Trust Architecture Adoption Accelerate Modernization of Industrial Control Systems Security
industrial control systems zero trust

Cloud and Zero Trust Architecture Adoption Accelerate Modernization of Industrial Control Systems Security

Explore how Zero Trust Architecture and cloud adoption are transforming Industrial Control Systems (ICS) security to mitigate modern cyber threats.

By Alan V Gutnov June 9, 2026 4 min read
common.read_full_article