How a simple link allowed hackers to bypass Copilot’s security guardrails – and what Microsoft did about it

Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Dubbed “Reprompt,” the attack used a URL parameter to steal user data.
• A single click was enough to trigger the entire attack chain.
• Attackers could pull sensitive Copilot data, even after the window closed.

Researchers have revealed a new attack that required only one click to execute, bypassing Microsoft Copilot security controls and enabling the theft of user data.

Also: How to remove Copilot AI from Windows 11 today

Meet Reprompt

On Wednesday, Varonis Threat Labs published new research documenting Reprompt, a new attack method that affected Microsoft’s Copilot AI assistant.

Reprompt impacted Microsoft Copilot Personal and, according to the team, gave “threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection — all from one click.”

Also: AI PCs aren’t selling, and Microsoft’s PC partners are scrambling

No user interaction with Copilot or plugins was required for this attack to trigger. Instead, victims had to click a link. 

After this single click, Reprompt could circumvent security controls by abusing the ‘q’ URL parameter to feed a prompt and malicious actions through to Copilot, potentially allowing an attacker to ask for data previously submitted by the user — including personally identifiable information (PII).

“The attacker maintains control even when the Copilot chat is closed, allowing the victim’s session to be silently exfiltrated with no interaction beyond that first click,” the researchers said.

How did Reprompt work?

Reprompt chained three techniques together:

• Parameter 2 Prompt (P2P injection): By exploiting the ‘q’ URL parameter, an attacker could fill a prompt from a URL and inject crafted, malicious instructions that forced Copilot to perform actions, including data exfiltration.
• Double-request: While Copilot had safeguards that prevented direct data exfiltration or leaks, the team found that repeating a request for an action twice would force it to be performed.
• Chain-request: Once the initial prompt (repeated twice) was executed, the Reprompt attack chain server issued follow-up instructions and requests, such as demands for additional information.

According to Varonis, this method was difficult to detect because user- and client-side monitoring tools could not see it, and it bypassed built-in security mechanisms while disguising the data being exfiltrated.

“Copilot leaks the data little by little, allowing the threat to use each answer to generate the next malicious instruction,” the team added.

A proof-of-concept (PoC) video demonstration is available.

Microsoft’s response

Reprompt was quietly disclosed to Microsoft on Aug 31, 2025. Microsoft patched the vulnerability prior to public disclosure and confirmed that enterprise users of Microsoft 365 Copilot were not affected.

Also: Want Microsoft 365? Just don’t choose Premium – here’s why

“We appreciate Varonis Threat Labs for responsibly reporting this issue,” a Microsoft spokesperson told ZDNET. “We rolled out protections that addressed the scenario described and are implementing additional measures to strengthen safeguards against similar techniques as part of our defense-in-depth approach.”

How to stay safe

AI assistants — and browsers — are relatively new technologies, so hardly a week went by without a security issue, design flaw, or vulnerability being discovered.

Phishing is one of the most common vectors for cyberattacks, and this particular attack required a user to click a malicious link. So, your first line of defense was to be cautious when it comes to links, especially if you did not trust the source.

Also: Gemini vs. Copilot: I compared the AI tools on 7 everyday tasks, and there’s a clear winner

As with any digital service, you should be careful about sharing sensitive or personal information. For AI assistants like Copilot, you should also check for any unusual behavior, such as suspicious data requests or strange prompts that may appear.

Varonis recommended that AI vendors and users remember that trust in new technologies could be exploited and said that “Reprompt represents a broader class of critical AI assistant vulnerabilities driven by external input.”

As such, the team suggested that URL and external inputs should be treated as untrusted, and so validation and safety controls should be implemented throughout the full process chain. In addition, safeguards should be imposed that reduce the risk of prompt chaining and repeated actions, and this should not stop at just the initial prompt.