Imagine this: You're chatting with Microsoft Copilot, your helpful AI assistant, sharing sensitive information, when suddenly, your data is being silently siphoned away. This chilling scenario became a reality, thanks to a clever new attack called "Reprompt." It exploits the very features designed to make AI assistants user-friendly.
For months, we've relied on AI like Copilot to manage our digital lives, from summarizing emails to planning trips. But a recent discovery by Varonis Threat Labs reveals a vulnerability that could allow malicious actors to hijack your Copilot sessions and extract your private data. The scariest part? It all happens without you even knowing it.
Unlike earlier attacks, Reprompt doesn't need special plugins or user-entered commands. Once triggered, attackers can take over your session without further interaction. This makes it a particularly stealthy threat.
So, how did Reprompt manage to bypass Copilot's defenses? The attack relies on a combination of three sneaky techniques:
Parameter-to-Prompt (P2P) Injection: Copilot accepts prompts directly from a URL using the 'q' parameter. This is designed for convenience, but Varonis found it could be exploited to run instructions the user never intended. By including a specific instruction in the 'q' parameter, attackers can make Copilot execute a malicious prompt automatically.
Double-Request Bypass: Copilot has safeguards to prevent data leaks, but these protections only work on the first request. By instructing Copilot to repeat each task twice, researchers could bypass these defenses on the second attempt. Think of it like a secret code that unlocks the information after the first attempt fails.
Chain-Request Exfiltration: Once the initial prompt runs, Copilot can be tricked into a hidden back-and-forth exchange with an attacker-controlled server. Each response generates the next instruction, allowing attackers to extract data gradually and invisibly. This is where the real damage happens, as the attacker's server subtly guides Copilot to reveal sensitive information.
As Varonis noted, client-side monitoring tools won't catch these malicious prompts because the data leaks happen dynamically during the back-and-forth communication.
But here's where it gets controversial... What makes Reprompt especially dangerous is its persistence. Unlike a typical hack that ends when you close the window, this attack turns Copilot into a continuous spy. The attacker's server takes over the conversation, even after you've closed the chat. The attacker can then ask follow-up questions like, "Where does the user live?" or "What vacations does he have planned?" based on what it learned earlier. Your browser's security tools wouldn't see a thing.
The vulnerability was found in Microsoft Copilot Personal, which is tied to consumer Microsoft accounts and integrated into Windows and Edge. Enterprise customers using Microsoft 365 Copilot were not affected, according to the researchers. Microsoft has since patched the flaw as part of its January 2026 security updates.
And this is the part most people miss... Varonis highlights a growing risk tied to AI assistants that automatically process untrusted input. They warn that our trust in AI tools can be easily abused, turning them into powerful and dangerous targets when security controls fail.
Security experts recommend applying the latest Windows updates and being cautious with links that open AI tools or pre-filled prompts, even if they seem legitimate. It's a reminder that even the most helpful tools can have hidden vulnerabilities.
What do you think? Are you surprised by the Reprompt attack? Do you think we should be more cautious about the information we share with AI assistants? Share your thoughts in the comments below!
