Ethical Hacking News
A new attack method dubbed "Reprompt" has emerged, exploiting vulnerabilities in Microsoft Copilot's execution of injected prompts via the 'q' parameter in URLs. The attack allows attackers to infiltrate user Copilot sessions and exfiltrate sensitive data without the victim's knowledge, highlighting the importance of staying vigilant against AI-powered attacks.
Microsoft's AI-powered Copilot has been targeted by a new attack method called "Reprompt" that can infiltrate user sessions and exfiltrate sensitive data. The Reprompt attack exploits vulnerabilities in Copilot's execution of injected prompts via the 'q' parameter in URLs. Attackers use phishing, parameter-to-prompt (P2P) injection, double-request technique, and chain-request technique to bypass safeguards and steal data. The latest Windows security update is recommended to protect against Reprompt attacks, especially for Microsoft Copilot Personal users.
Microsoft's AI-powered copilot, designed to assist users by generating answers and completing tasks, has become a target for malicious actors. Recently discovered, a new attack method dubbed "Reprompt" was identified as a means to infiltrate user Copilot sessions and exfiltrate sensitive data without the victim's knowledge.
The Reprompt attack exploits vulnerabilities in Microsoft Copilot's execution of injected prompts via the 'q' parameter in URLs. This allows attackers to embed malicious instructions within this parameter, which are then executed automatically when the page loads. However, additional techniques are required to bypass Copilot's safeguards and exfiltrate data continuously through follow-up instructions from the attacker.
Researchers at data security and analytics company Varonis discovered that a Reprompt attack flow involves phishing the victim with a legitimate Copilot link, triggering Copilot to execute injected prompts, and then maintaining an ongoing back-and-forth exchange between Copilot and the attacker's server. After the target user's initial click on the phishing link, Reprompt leverages the victim's existing authenticated Copilot session, which remains valid even after the Copilot tab is closed.
The attack techniques used in Reprompt include parameter-to-prompt (P2P) injection, double-request technique, and chain-request technique. P2P injection involves injecting instructions directly into Copilot via the 'q' parameter, potentially stealing user data and stored conversations. The double-request technique exploits the fact that Copilot's data-leak safeguards apply only to the initial request. By instructing Copilot to repeat actions twice, attackers can bypass those safeguards on subsequent requests.
Furthermore, chain-request technique enables continuous and stealthy data exfiltration by receiving instructions dynamically from the attacker's server, with each response generating the next request. Researchers demonstrated how an attacker could steal data using a crafted URL starting from a link delivered over email.
While exploitation of Reprompt has not been detected in the wild, it is highly recommended to apply the latest Windows security update as soon as possible. Microsoft Copilot Personal, which was impacted by this attack, only allows enterprise customers access to additional security controls such as Purview auditing, tenant-level DLP, and admin-enforced restrictions.
This new threat highlights the importance of staying vigilant against AI-powered attacks and emphasizes the need for continuous monitoring and updates in AI-powered tools. As the use of AI technology becomes more widespread, it is essential to address vulnerabilities and ensure that these systems are secure from malicious exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Microsoft-Copilot-A-New-Threat-Emerge-in-Reprompt-Attack-ehn.shtml
https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/
https://www.zdnet.com/article/copilot-steal-data-reprompt-vulnerability/
Published: Wed Jan 14 11:11:48 2026 by llama3.2 3B Q4_K_M
