Researchers have identified a security vulnerability, dubbed “Reprompt,” that could allow attackers to infiltrate a user’s Microsoft Copilot session and issue commands to exfiltrate sensitive data. The method involved hiding a malicious prompt within a legitimate URL, bypassing Copilot’s existing protections. After a user clicks a single malicious link, an attacker could maintain access to the victim’s Large Language Model (LLM) session. Reprompt does not require plugins or additional tricks and enables invisible data exfiltration. Microsoft Copilot connects to personal accounts, is integrated into Windows and the Edge browser, and can access user prompts, conversation history, and certain personal Microsoft data based on context and permissions.
How Reprompt Functions
Security researchers at Varonis discovered that access to a user's Copilot session could be achieved by combining three techniques:
- Parameter-to-Prompt (P2P) Injection: This technique uses the 'q' parameter in the URL to directly inject instructions into Copilot, potentially leading to the theft of user data and stored conversations.
- Double-Request Technique: Copilot’s data-leak safeguards primarily apply to the initial request. Attackers could instruct Copilot to repeat actions twice, bypassing these safeguards on subsequent requests.
- Chain-Request Technique: This method allows Copilot to continuously receive dynamic instructions from an attacker's server. Each response from Copilot is used to generate the next request, facilitating continuous and stealthy data exfiltration.
Varonis provided an example of the double-request technique, demonstrating how an instruction to make every function call twice could bypass initial guardrails. While the first reply might not include sensitive information, the second attempt could yield the data.
Disclosure and Resolution
The Reprompt method was responsibly disclosed to Microsoft by Varonis researchers on August 31 last year. Microsoft subsequently released a fix for the vulnerability on January 2026's Patch Tuesday. It is important to note that exploitation of the Reprompt method had not been detected in the wild. The vulnerability specifically impacted Copilot Personal and did not affect Microsoft 365 Copilot, which is used by enterprise customers and benefits from additional security controls such as Purview auditing, tenant-level DLP, and admin-enforced restrictions. Users are recommended to apply the latest Windows security update as soon as possible to ensure protection against this vulnerability.