On January 15, 2026, cybersecurity researchers at Varonis disclosed a sophisticated attack called Reprompt that shows how a single click on a legitimate Microsoft Copilot link can silently exfiltrate sensitive data. Security researcher Dolev Taler revealed that this attack requires no malware, no plugin, and no phishing form. Just one click transforms your AI assistant into an unwitting data courier.
Following responsible disclosure, Microsoft has addressed the vulnerability. However, the attack methodology reveals systemic risks across the AI landscape that extend far beyond a single product.
What Is the Reprompt Attack?
Reprompt exploits Microsoft Copilot’s ability to accept input via URL parameters. By embedding instructions in the query parameter (the “q=” section), attackers inject commands directly into Copilot without the user typing anything.
A malicious link looks like: copilot.microsoft[.]com/?q=[hidden instructions]
The attack uses three mechanisms. First, URL parameters smuggle prompts into Copilot through a standard Microsoft link. Second, it bypasses security guardrails by instructing the AI to repeat each action twice, exploiting the fact that safeguards only apply to initial requests. Third, the initial prompt triggers an ongoing chain of requests, creating a persistent back-channel between Copilot and the attacker’s server.
Once clicked, the AI takes over. The user closes the browser, but Copilot continues communicating with the attacker’s server in the background, responding to dynamic commands that evolve based on earlier responses.
How the Attack Unfolds
- Attacker sends an email with a legitimate-looking Copilot link
- Victim clicks the link (no warnings, legitimate Microsoft domain)
- URL parameters inject the initial instruction set
- Repeated commands bypass security guardrails
- Copilot connects to attacker server for additional instructions
- Data exfiltrates based on adaptive queries (“Summarize files accessed today,” “What vacations are planned?”)
- Session persists even after user closes the chat window
Why Traditional Security Fails
Email gateways see only a legitimate Microsoft domain. Endpoint protection finds no malicious file. Network firewalls observe standard HTTPS traffic to Microsoft infrastructure. The security stack operates exactly as designed, yet the compromise succeeds.
The victim cannot see what data is being accessed because the malicious conversation occurs entirely server-side. There is no chat history to review, no suspicious downloads, no obvious indicators of compromise.
Who Is At Risk?
- Consumer Copilot users: The original vulnerability affected consumer Copilot. Microsoft has now addressed this implementation.
- Microsoft 365 Copilot enterprise users: According to Microsoft, the attack does not affect enterprise customers using M365 Copilot.
- Other AI platforms: Any AI system accepting input through URL parameters or processing untrusted data could be vulnerable to similar attacks.
- Organisations with AI integrations: If your AI assistants can access documents, email, or sensitive repositories, they represent potential exfiltration channels.
A Broader Pattern of AI Exploitation
Reprompt is part of an accelerating trend targeting AI agents. Recent examples include:
- ZombieAgent exploits ChatGPT’s third-party app connections, transforming prompt injections into zero-click attacks that exfiltrate data character by character and achieve persistence through ChatGPT’s Memory feature.
- GeminiJack targets Google Gemini Enterprise by planting hidden instructions in shared documents, calendar invitations, or emails that execute when processed.
- Lies-in-the-Loop (LITL) weaponizes safety dialogs in Claude Code and Microsoft Copilot Chat, tricking users into authorizing malicious actions.
- CellShock exploits Claude for Excel, using crafted instructions in untrusted data to output formulas that exfiltrate spreadsheet data.
Additional vulnerabilities affect Perplexity Comet, Model Context Protocol implementations, Notion AI, Slack AI, and others. The pattern is clear: when AI can access sensitive data, attackers will find ways to access your AI.
The Root Cause
These attacks succeed because AI architectures cannot reliably distinguish between legitimate user instructions and malicious commands injected through data processing. When AI parses untrusted content from URLs, documents, or emails, it interprets embedded instructions with the same authority as direct user input.
This is architectural, not a simple software bug.
What Organisations Must Do
- Audit your AI footprint
Map every AI assistant in your organization. Document what data each can access. Understand the blast radius. - Implement strict permissions
AI agents should operate under least privilege. Never grant admin access. Restrict their environment and monitor interactions. - Deploy link inspection
Train security filters to detect and inspect AI platform links with query parameters that could enable prompt injection. - Educate teams
Users must understand that AI assistants are not neutral tools. Even legitimate domain links can trigger unauthorized actions. - Integrate AI into threat modelling
Treat AI systems as potential insider threats. Include prompt injection in penetration testing. Test how AI tools respond to adversarial inputs. - Monitor AI activity
Log all AI interactions with sensitive data. Establish alerts for unusual access patterns or unexpected external connections.
The Path Forward
The Reprompt attack reveals where the threat landscape is heading. Traditional security models assumed clear boundaries between trusted internal systems and external threats. AI assistants blur this boundary.
Attackers are not breaking your systems. They are hijacking systems that already have access. Your AI assistant, granted broad permissions to improve productivity, becomes the mechanism of compromise.
If you are not actively assessing the security of your AI tools, evaluating their access controls, monitoring their behaviour, and testing their resilience to adversarial inputs, you are already exposed.
Organisations deploying AI with access to sensitive data must establish new defensive paradigms: contextual access controls, input validation for natural language instructions, behavioural analytics tuned to AI patterns, and incident response procedures for AI-mediated compromises.
The technology is too powerful, and the risks too significant, to approach AI security as an afterthought.
For guidance on building AI strategies that are secure, not just smart, consider consulting with us today. The next click should not turn into a breach.
