- Reprompt exploited the way Microsoft Copilot handled the URL parameter
qto run hidden instructions without user interaction. - A single click on a legitimate Microsoft Copilot link was enough to grant attackers control over the Copilot session and exfiltrate data.
- The attack could silently extract conversations, credentials and internal documents, even after the user closed the chat window.
- Microsoft has patched the flaw, but Reprompt highlights broader security risks in how AI assistants process links, prompts and session context.
Security researchers have uncovered a technique that turned Microsoft’s AI assistant into an unwitting data courier. By abusing how Copilot interprets certain web links, attackers were able to quietly drain personal and corporate information from user conversations with nothing more than a click on a seemingly harmless URL.
The method, known as Reprompt, does not rely on classic malware, rogue downloads or suspicious attachments. Instead, it takes advantage of hidden instructions embedded in legitimate Microsoft Copilot links, instructing the AI to collect and transmit sensitive data in the background while everything appears normal to the user.
What Reprompt is and why it matters for Copilot
Reprompt is the name given by Varonis Threat Labs to a tailored attack against Microsoft Copilot, the AI assistant integrated across Bing, Edge, Windows and Microsoft’s cloud services. Far from being a purely theoretical risk, the vulnerability allowed an attacker to effectively take over an active Copilot session and siphon information without raising obvious red flags.
The central idea behind the technique is simple but powerful: hide malicious prompts inside URLs that point to real Microsoft domains, such as copilot.microsoft.com. Because the link looks legitimate and uses an official host, most users would treat it as safe and click without hesitation, especially if it arrives in a trusted context like internal email or a collaboration tool.
Once the link is opened, Copilot loads as usual in the browser, but starts executing the attacker’s concealed instructions in the background. To the user, it may look like just another Copilot session or even a prefilled query, while in reality the assistant is already obeying commands that were never manually typed.
From a security perspective, Reprompt represents a significant shift: instead of compromising the user’s device directly, the attacker abuses the internal behavior of the AI model and the trust placed in the cloud service. The AI itself becomes the tool for data extraction, following what it believes are legitimate user requests.
How the attack works: the role of the q parameter
At the heart of Reprompt lies a feature that, on paper, is entirely benign: the URL parameter called q used by Microsoft Copilot. This parameter is intended to preload a query when the Copilot page is opened, so that users can be taken directly to a specific question or prompt.
A simple example illustrates the idea: if someone opens http://copilot.microsoft.com/?q=Hello, Copilot will automatically receive the message “Hello” when the page loads. The user does not need to type anything; the assistant simply sees that initial prompt and responds accordingly.
Reprompt twists this convenience feature into a weapon. Instead of a friendly greeting, an attacker can embed a long, carefully crafted instruction inside the same q parameter. Copilot interprets the content of q as if it had been written by the visitor, treating it as a normal user message and processing it immediately.
In practice, this means a malicious URL can instruct Copilot to do things like: collect previous conversation history, summarize confidential documents, extract usernames or partial credentials and then send that information to a remote server specified by the attacker. All of this starts the moment the page is opened, without extra clicks, dialogs or downloads.
The technique relies on a broader concept known as prompt injection: embedding hidden or deceptive instructions so that an AI system treats them as trusted input. What sets Reprompt apart from many earlier prompt injection demonstrations is its focus on automatic, direct data exfiltration through server-side communication, not just manipulating the visible answer shown in the chat window.
One click to lose control of the Copilot session
One of the most concerning aspects of Reprompt is its low barrier to exploitation. In the scenario described by Varonis Threat Labs, a single click on an authentic-looking Microsoft link was enough to hand over control of the Copilot session to an attacker.
Once that link is opened, Copilot effectively enters into a hidden back-and-forth with the attacker’s infrastructure. The malicious prompt injected via the q parameter can instruct the AI to contact an external server, respond to additional queries and progressively reveal more information tied to the user’s account and context.
Researchers found that in some situations the exploit could continue operating even after the user closed the chat window. As long as the AI session on the server side remained active, Copilot could keep answering the attacker’s follow-up prompts, silently exposing more data over time.
For the victim, this is particularly deceptive. Closing a browser tab typically signals the end of an interaction, but in this case the conversation between Copilot and the attacker’s server might still be ongoing. There are no obvious pop-ups, warnings or system alerts that would reveal what is happening behind the scenes.
To make matters worse, the instructions embedded in the URL can be written to look like routine support or productivity tasks from the AI’s perspective. Copilot appears to be doing exactly what it was designed to do—answer questions, gather context and generate responses—yet it is doing so according to an agenda defined entirely by the attacker.
What kind of data was at risk?
The potential scope of information exposure through Reprompt goes well beyond a couple of stray lines of chat. According to the analysis shared by Varonis, the attack could enable the theft of entire conversation histories held with Copilot, which in many organizations are already used to discuss sensitive topics and internal workflows.
Depending on how Copilot is configured and what it can access, the exposed content might include usernames, partial credentials, email addresses and internal corporate documents. In environments where Copilot is deeply integrated with productivity suites and cloud storage, those conversations may reference or summarize highly confidential material.
Because the exfiltration takes place inside Copilot’s own logic, the data does not leave the device as a traditional file transfer or suspicious process. Instead, it is returned as a series of AI-generated responses, routed to an external endpoint under the attacker’s control. From the point of view of endpoint security tools, this can look like normal traffic to and from a legitimate cloud service.
Investigators emphasized that there was effectively no strict upper bound on the amount or type of information that could be leaked. The limiting factor was simply what Copilot could access within the user’s session and the permissions granted to the account: recent chats, summarized meeting notes, contents of documents stored in the cloud or even contextual snippets from emails.
This type of exposure has serious implications in regulated environments. For organizations bound by strict data protection rules, a stealthy leak of personal data via an AI assistant could trigger mandatory incident reporting, regulatory scrutiny and significant reputational damage.
Why Reprompt stands out from earlier AI attacks
Security researchers had already warned that parameters like q in URLs could be misused with other AI tools and search-based assistants, including services similar to ChatGPT or Perplexity. However, Reprompt adds a critical new dimension that makes it stand out.
Rather than simply altering what a user sees on screen, the technique is geared toward seamless, server-side exfiltration of data to an attacker-controlled destination. The AI does not just reveal information inside the chat; it is instructed to send it elsewhere, outside the normal user environment.
Varonis Threat Labs highlighted another complicating factor: traditional client-side security tools are poorly positioned to catch this type of attack in real time. Because the sensitive operations occur in the cloud, within the communication loop between Copilot and the attacker’s infrastructure, endpoint defenses see little more than encrypted traffic to a trusted provider.
As the researchers put it, genuine data leaks in such scenarios happen dynamically during the live interaction between the assistant and its counterpart. There is no obvious malware binary to quarantine, no suspicious process spike and no clear anomaly on the end user’s machine that would trigger conventional alerts.
This makes Reprompt a useful case study for a broader trend: as AI systems gain more context and access to corporate data, the impact of prompt-level manipulation increases dramatically. The combination of persistent sessions, rich permissions and automated instruction processing turns what might seem like a small design oversight into a high-impact vulnerability.
A broader challenge for AI-era cybersecurity
The discovery of Reprompt feeds into a growing recognition that AI assistants and large language models introduce their own category of security risks. These systems are not just another web application; they maintain conversational state, have dynamic access to data and can autonomously chain actions together.
First, their attack surface is wider than it looks. Features that are meant to improve user experience—such as preloading prompts via URL parameters—can become entry points for attackers if the incoming instructions are not strictly validated and sanitized before reaching the model.
Second, session persistence on the server side means that the effect of a single malicious click can linger. Even when a user closes the browser tab or steps away from their device, the AI session may continue to exist and respond to prompts, creating a window for prolonged and largely invisible abuse.
Third, many organizations still rely on defenses tuned to monitor visible activity on endpoints: process execution, file access, outbound connections from desktop applications and so on. When the crucial parts of an attack take place entirely between a cloud-hosted AI and another remote service, those traditional controls may never see the dangerous payload or its consequences.
This shifting landscape is pushing companies and public institutions to rethink how they roll out AI assistants in daily operations. It is no longer enough to simply enable a tool like Copilot; there is a need to systematically assess the security properties of prompt handling, session management and data access for every AI integration, especially where sensitive information is involved.
Microsoft’s response and the remaining risks
After Varonis Threat Labs privately reported the issue, Microsoft acknowledged the Copilot vulnerability and rolled out a security fix. According to the timeline described by the researchers, the initial disclosure took place in 2025, and Microsoft delivered a patch in early 2026 that closed the specific avenue exploited by Reprompt.
The company has adjusted how Copilot interprets the q parameter and related mechanisms, so that embedded instructions in links are no longer executed automatically without additional safeguards. The goal is to prevent attackers from turning a simple, authentic Microsoft URL into a covert command channel for data theft.
Despite this remediation, security specialists caution that the underlying problem extends well beyond a single product or vendor. Any AI assistant that accepts input via web parameters, deep links or shared URLs could be exposed to similar manipulation if its designers have not carefully constrained what those inputs are allowed to do.
For organizations that have already embedded AI assistants into workflows, Reprompt serves as a useful warning sign. It underscores the importance of reviewing link-sharing practices, account permissions and the breadth of data that AI tools can reach. Some experts are also advocating for dedicated AI security audits, separate from traditional penetration testing, to identify issues that only appear when models interpret complex prompts.
From the end user’s perspective, the incident is a reminder that even links pointing to well-known domains are not automatically benign. A URL can be legitimate while still containing dangerous instructions that only an AI system will see and act upon. Extra caution around shared Copilot links, especially those with long or opaque parameters, is likely to become part of basic security hygiene.
With the specific Copilot flaw now patched, the concrete risk posed by Reprompt has been reduced, but the episode leaves an important lesson: as AI assistants become central to modern digital infrastructure, they also become high-value targets. Designing them with strict input validation, transparent session handling and continuous monitoring will be key to preventing future attacks that look very different from the threats security teams are used to facing.
