Ethical Hacking News
A new vulnerability has been discovered in Microsoft Copilot that allows bad actors to exfiltrate sensitive data from the chatbot in a single click, bypassing enterprise security controls entirely. Dubbed "Reprompt," this attack method exploits design limitations of AI systems and highlights the need for organizations to prioritize layered defenses and robust monitoring.
A new vulnerability called "Reprompt" was discovered in Microsoft Copilot, allowing bad actors to exfiltrate sensitive data from the chatbot with a single click.The Reprompt attack exploits three techniques: injecting crafted instructions via the "q" URL parameter, bypassing guardrails design, and triggering an ongoing chain of requests for continuous data exfiltration.The vulnerability creates a security blind spot by allowing AI systems to execute prompts without user input, plugins, or connectors, making it invisible to most users.Organizations deploying AI systems with access to sensitive data need to consider trust boundaries, implement robust monitoring, and stay informed about emerging AI security research.To mitigate the risks associated with Reprompt, organizations should ensure elevated privileges are not used for sensitive tools, limit agentic access to business-critical information, adopt layered defenses, and monitor for emerging threats.
Recently, a new vulnerability was discovered in Microsoft Copilot, a popular artificial intelligence chatbot service. Dubbed "Reprompt," this attack method allows bad actors to exfiltrate sensitive data from the chatbot in a single click, bypassing enterprise security controls entirely.
According to Varonis security researcher Dolev Taler, only a single click on a legitimate Microsoft link is required to compromise victims. No plugins, no user interaction with Copilot is necessary for this attack to take effect. The attacker maintains control even when the Copilot chat is closed, allowing the victim's session to be silently exfiltrated with no interaction beyond that first click.
The Reprompt attack exploits three techniques to achieve a data-exfiltration chain:
1. Using the "q" URL parameter in Copilot to inject a crafted instruction directly from a URL.
2. Instructing Copilot to bypass guardrails design to prevent direct data leaks simply by asking it to repeat each action twice, by taking advantage of the fact that data-leak safeguards apply only to the initial request.
3. Triggering an ongoing chain of requests through the initial prompt that enables continuous, hidden, and dynamic data exfiltration via a back-and-forth exchange between Copilot and the attacker's server.
In a hypothetical attack scenario, a threat actor could convince a target to click on a legitimate Copilot link sent via email, thereby initiating a sequence of actions that causes Copilot to execute the prompts smuggled via the "q" parameter. The attacker would then "reprompt" the chatbot to fetch additional information and share it, which could include sensitive data such as file names accessed by users today, user addresses, or vacation plans.
This attack effectively creates a security blind spot by turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors. The root cause of Reprompt is the AI system's inability to delineate between instructions directly entered by a user and those sent in a request, paving the way for indirect prompt injections when parsing untrusted data.
As Varonis noted, "There's no limit to the amount or type of data that can be exfiltrated. The server can request information based on earlier responses." This vulnerability highlights the need for organizations deploying AI systems with access to sensitive data to carefully consider trust boundaries, implement robust monitoring, and stay informed about emerging AI security research.
The discovery of Reprompt is significant because it demonstrates how prompt injections remain a persistent risk in AI-powered tools. Unlike other attacks aimed at large language models, the root cause of Reprompt is not due to user error or inadequate configuration but rather the inherent design limitations of these systems. The vulnerability affects various data exfiltration vulnerabilities impacting several popular AI tools and services.
In light of this new vulnerability, cybersecurity professionals and organizations should prioritize the following measures:
1. Ensure sensitive tools do not run with elevated privileges.
2. Limit agentic access to business-critical information where applicable.
3. Adopt layered defenses to counter the threat.
4. Stay informed about emerging AI security research and implement robust monitoring.
By taking proactive steps to address these vulnerabilities, organizations can mitigate the risks associated with Reprompt and ensure the continued secure use of AI-powered tools like Microsoft Copilot.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Vulnerability-Found-in-Microsoft-Copilot-Reprompt-Attack-Allows-Single-Click-Data-Exfiltration-ehn.shtml
https://thehackernews.com/2026/01/researchers-reveal-reprompt-attack.html
Published: Thu Jan 15 10:17:14 2026 by llama3.2 3B Q4_K_M
