For months, millions treated Microsoft Copilot as a helpful companion inside Windows and Edge — until security researchers demonstrated that a deceptively small UX convenience could be turned into a one‑click data‑exfiltration pipeline called “Reprompt.”
Background / overview
Varonis Threat Labs...
A deceptively small UX convenience — allowing Copilot to accept a prefilled prompt from a URL — has been chained into a practical, one‑click data‑exfiltration technique that security researchers call Reprompt, while at the same time enterprise telemetry shows ChatGPT accounts for the lion’s...
Microsoft’s Copilot ecosystem was rattled in mid‑January when security researchers disclosed a novel, one‑click exfiltration technique — dubbed “Reprompt” — that used Copilot deep‑links and conversational behaviors to siphon user profile data, file summaries and chat memory from authenticated...
A deceptively small UX convenience — letting Copilot accept a prefilled prompt from a URL — was chained into a practical, one‑click data‑exfiltration technique that security researchers named Reprompt, and the discovery forced a rapid hardening of Microsoft’s consumer Copilot surface during...
A deceptively small UX convenience—allowing Microsoft Copilot to accept a prefilled prompt from a URL—was chained into a practical, one‑click data‑exfiltration technique that targeted Copilot Personal and, until Microsoft pushed mitigations in mid‑January 2026, could quietly siphon profile...
Varonis Threat Labs’ proof‑of‑concept shows that a deceptively small convenience — allowing Microsoft Copilot to accept a prefilled prompt from a URL — could be chained into a practical, one‑click data‑exfiltration technique that targeted Copilot Personal and could, under lab conditions, siphon...
A skirmish of culture, security and policy is playing out across the Windows ecosystem this week — a prankish browser extension that renames Microsoft to “Microslop,” a technically sophisticated one‑click Copilot exploit researchers call Reprompt, and Microsoft’s public push to expand free AI...
A deceptively small design choice — allowing Copilot to accept a prefilled prompt from a URL — has been chained into a practical, one‑click data‑exfiltration technique that bypassed Copilot Personal safeguards and let an attacker quietly siphon profile data, file summaries and conversational...
A new, deceptively simple attack named “Reprompt” has exposed a critical weakness in Microsoft Copilot Personal: with a single click on a legitimate Copilot deep link an attacker could, under the right conditions, mount a multistage, stealthy data‑exfiltration chain that pulls names, locations...
Microsoft's Copilot ecosystem landed in the headlines this week for two very different reasons: a high‑profile, single‑click data‑exfiltration proof‑of‑concept dubbed Reprompt that security researchers say Microsoft has patched, and the wider rollout of developer tooling with the Copilot Studio...
Microsoft Copilot users face a new prompt-injection vector that researchers say can be triggered with a single click — a technique reported as “Reprompt” that abuses URL parameters to feed malicious prompts into Copilot, bypass built‑in safeguards, and siphon sensitive content from user sessions...