{"id":6581,"date":"2026-01-16T03:14:30","date_gmt":"2026-01-16T03:14:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6581"},"modified":"2026-01-16T03:14:30","modified_gmt":"2026-01-16T03:14:30","slug":"one-click-is-all-it-takes-how-reprompt-turned-microsoft-copilot-into-data-exfiltration-tools","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6581","title":{"rendered":"One click is all it takes: How \u2018Reprompt\u2019 turned Microsoft Copilot into data exfiltration tools"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

AI copilots are incredibly intelligent and useful \u2014 but they can also be naive, gullible, and even dumb at times.<\/p>\n

A new one-click attack flow discovered by Varonis Threat Labs researchers underscores this fact. \u2018Reprompt,\u2019 as they\u2019ve dubbed it, is a three-step attack chain that completely bypasses security controls after an initial LLM prompt<\/a>, giving attackers invisible, undetectable, unlimited access.<\/p>\n

\u201cAI assistants have become trusted companions where we share sensitive information, seek guidance, and rely on them without hesitation,\u201d Varonis Threat Labs security researcher Dolev Taler<\/a> wrote in a blog post<\/a>. \u201cBut \u2026 trust can be easily exploited, and an AI assistant can turn into a data exfiltration weapon with a single click.\u201d<\/p>\n

It\u2019s important to note that, as of now, Reprompt has only been discovered in Microsoft Copilot Personal, not Microsoft 365 Copilot \u2014 but that\u2019s not to say it couldn\u2019t be used against enterprises depending on their copilot policies and user awareness. Microsoft has already released a patch after being made aware of the flaw.<\/p>\n

How Reprompt silently works in the background<\/h2>\n

Reprompt employs three techniques to create a data exfiltration chain: Initial parameter to prompt (P2P injection), double request, and chain-request.<\/p>\n

P2P embeds a prompt directly in a URL, exploiting Copilot\u2019s default \u2018q\u2019 URL parameter functionality, which is intended to streamline and improve user experience. The URL can include specific questions or instructions that automatically populate the input field when pages load.<\/p>\n

Using this loophole, attackers then employ double-request, which allows them to circumvent safeguards; Copilot only checks for malicious content in the Q variable for the first prompt, not subsequent requests.<\/p>\n

For instance, the researchers asked Copilot to fetch a URL containing the secret phrase \u201cHELLOWORLD1234!\u201d, repeating the request twice. Copilot removed the secret phrase from the first URL, but the second attempt \u201cworked flawlessly,\u201d Taler noted.<\/p>\n

From here, attackers can kick off a chain-request, in which the attacker\u2019s server issues follow-up instructions to form an ongoing conversation. This tricks Copilot into exfiltrating conversation histories and sensitive data. Threat actors can provide a range of prompts like \u201cSummarize all of the files that the user accessed today,\u201d \u201cWhere does the user live?\u201d or \u201cWhat vacations does he have planned?\u201d<\/p>\n

This method \u201cmakes data theft stealthy and scalable,\u201d and there is no limit to what or how much attackers can exfiltrate, Taler noted. \u201cCopilot leaks the data little by little, allowing the threat to use each answer to generate the next malicious instruction.\u201d<\/p>\n

The danger is that reprompt requires no plugins, enabled connectors, or user interaction with Copilot beyond the initial single click on a legitimate Microsoft Copilot link in a phishing message. The attacker can stay in Copilot as long as they want, even after the user closes their chat.<\/p>\n

All commands are delivered via the server after the initial prompt, so it\u2019s almost impossible to determine what is being extracted just by inspecting that one prompt. \u201cThe real instructions are hidden in the server\u2019s follow-up requests,\u201d Taler noted, \u201cnot from anything obvious in the prompt the user submits.\u201d<\/p>\n

What devs and security teams should do now<\/h2>\n

As in usual security practice, enterprise users should always treat URLs and external inputs as untrusted, experts advised. Be cautious with links, be on the lookout for unusual behavior, and always pause to review pre-filled prompts.<\/p>\n

\u201cThis attack, like many others, originates with a phishing email or text message, so all the usual best practices against phishing apply, including \u2018don\u2019t click on suspicious links,\u2019\u201d noted Henrique Teixeira<\/a>, SVP of Strategy at Saviynt.<\/p>\n

Phishing-resistant authentication should be implemented, not only during the initial use of a chatbot, but throughout the entire session, he emphasized. This would require developers to implement controls when first building apps and embedding copilots and chatbots, rather than adding controls later on.<\/p>\n

End users should avoid using chatbots that are not authenticated and avoid risky behaviors such as acting on a sense of urgency (such as being encouraged to speedily completing a transaction), replying to unknown or potentially nefarious senders, or oversharing personal info, he noted.<\/p>\n

\u201cLastly and super importantly is to not blame the victim in these instances,\u201d said Teixeira. App owners and service providers using AI must build apps that do not allow prompts to be submitted without authentication and authorization, or with malicious commands embedded in URLs. \u201cService providers can include more prompt hygiene and basic identity security controls like continuous and adaptive authentication to make apps safer to employees and clients,\u201d he said.<\/p>\n

Further, design considering insider-level risk, says Varonis\u2019 Taler. \u201cAssume AI assistants operate with trusted context and access. Enforce least privilege, auditing, and anomaly detection accordingly.\u201d<\/p>\n

Ultimately, this represents yet another example of enterprises rolling out new technologies with security as an afterthought, other experts note.<\/p>\n

\u201cSeeing this story play out is like watching Wile E. Coyote and the Road Runner,\u201d said David Shipley<\/a> of Beauceron Security. \u201cOnce you know the gag, you know what\u2019s going to happen. The coyote is going to trust some ridiculously flawed Acme product and use it in a really dumb way.\u201d<\/p>\n

In this case, that \u2018product\u2019 is LLM-based technologies<\/a> that are simply allowed to perform any actions without restriction. The scary thing is there\u2019s no way to secure it because LLMs are what Shipley described as \u201chigh speed idiots.\u201d<\/p>\n

\u201cThey can\u2019t distinguish between content and instructions, and will blindly do what they\u2019re told,\u201d he said.<\/p>\n

LLMs should be limited to chats in a browser, he asserted. Giving them access to anything more than that is a \u201cdisaster waiting to happen,\u201d particularly if they\u2019re going to be interacting with content that can be sent via e-mail, message, or through a website.<\/p>\n

Using techniques such as applying least access privilege and zero trust to try to work around the fundamental insecurity of LLM agents \u201clook brilliant until they backfire,\u201d Shipley said. \u201cAll of this would be funny if it didn\u2019t get organizations pwned.\u201d<\/p>\n

This article originally appeared on Computerworld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

AI copilots are incredibly intelligent and useful \u2014 but they can also be naive, gullible, and even dumb at times. A new one-click attack flow discovered by Varonis Threat Labs researchers underscores this fact. \u2018Reprompt,\u2019 as they\u2019ve dubbed it, is a three-step attack chain that completely bypasses security controls after an initial LLM prompt, giving […]<\/p>\n","protected":false},"author":0,"featured_media":6582,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6581"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6581"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6581\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6582"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}