For months, we’ve handled AI assistants like Microsoft Copilot as our digital confidants, instruments that assist us summarize emails, plan holidays, and manage our work.
However new analysis from Varonis Menace Labs reveals that this belief was constructed on a surprisingly fragile basis. A newly found assault movement, nicknamed “Reprompt,” enabled malicious actors to hijack Copilot classes and stealthily extract delicate knowledge, all as a result of the AI was overly desperate to comply with directions.
Not like earlier AI immediate injection assaults, Reprompt required no plugins, connectors, or user-entered prompts. As soon as triggered, attackers may preserve management of the session with out additional interplay from the sufferer.
How Reprompt bypassed Copilot’s safeguards
Varonis researchers say the assault relied on three methods working collectively:
1. Parameter-to-prompt (P2P) injection
Copilot accepts prompts instantly from a URL utilizing the q parameter. When a person clicks a Copilot hyperlink containing this parameter, the AI mechanically executes the embedded immediate. Varonis defined that this habits, whereas designed for comfort, could possibly be abused to run directions the person by no means supposed.
“By together with a particular query or instruction within the q parameter, builders and customers can mechanically populate the enter discipline when the web page hundreds, inflicting the AI system to execute the immediate instantly,” Varonis famous.
2. Double-request bypass
Copilot contains protections to stop delicate knowledge from being leaked, however Varonis discovered these safeguards utilized solely to the primary request.
By instructing Copilot to repeat every job twice, researchers have been in a position to bypass these protections on the second try. In testing, Copilot eliminated delicate data in the course of the first request, however revealed it on the second.
3. Chain-request exfiltration
As soon as the preliminary immediate ran, Copilot could possibly be tricked into persevering with a hidden back-and-forth trade with an attacker-controlled server.
Every response was used to generate the following instruction, permitting attackers to extract knowledge regularly and invisibly.
“Consumer-side monitoring instruments received’t catch these malicious prompts, as a result of the true knowledge leaks occur dynamically throughout back-and-forth communication — not from something apparent within the immediate the person submits,” Varonis famous.
A dialog that by no means ends
What makes Reprompt notably nasty is its persistence. Not like a typical hack that ends if you shut the window, this assault turns Copilot right into a residing spy. As soon as the preliminary click on occurs, the attacker’s server takes over the dialog within the background.
Varonis researchers famous that “The attacker maintains management even when the Copilot chat is closed, permitting the sufferer’s session to be silently exfiltrated with no interplay past that first click on.”
The attacker’s server can primarily “chat” together with your Copilot, asking follow-up questions like “The place does the person dwell?” or “What holidays does he have deliberate?” based mostly on what it discovered within the earlier sentence. As a result of this occurs on the server facet, your browser’s safety instruments wouldn’t see a factor.
Patched, however an issue that persists
The vulnerability was present in Microsoft Copilot Private, which is tied to shopper Microsoft accounts and built-in into Home windows and Edge.
Enterprise clients utilizing Microsoft 365 Copilot weren’t affected, in keeping with the researchers. Microsoft confirmed the flaw has now been patched as a part of its January 2026 safety updates.
Varonis says Reprompt highlights a broader and rising danger tied to AI assistants that mechanically course of untrusted enter.
The corporate warned that belief in AI instruments might be simply abused, writing “AI assistants have develop into trusted companions the place we share delicate data, search steerage, and depend on them with out hesitation.”
That belief, researchers argue, turns AI assistants into highly effective — and harmful — targets when safety controls fail.
Safety researchers suggest customers apply the most recent Home windows updates and be cautious with hyperlinks that open AI instruments or pre-filled prompts, even when they seem legit.
Additionally learn: Microsoft is making Groups safe by default, mechanically enabling new protections to cut back AI-driven threats.
