Reprompt Attack: One Copilot Link Exfiltrates Data

Security researchers have discovered a deceptively simple but dangerous exploit that could turn a single click on a legitimate Microsoft Copilot link into a live data‑exfiltration pipeline — a vulnerability the research community has labeled “Reprompt,” and one that Microsoft moved to mitigate in its mid‑January 2026 update cycle.

Background​

Varonis Threat Labs published a technical write‑up and proof‑of‑concept showing how Copilot Personal’s convenience features — specifically deep links that prefill the assistant’s input field via a URL query parameter (commonly the q parameter) — can be abused to inject attacker instructions into an authenticated user session. The exploit chain, dubbed Reprompt, combines three simple techniques to convert a trusted, vendor‑hosted link into a stealthy exfiltration channel. Independent security outlets corroborated the PoC and reported that Microsoft rolled mitigations into the January 2026 Patch Tuesday release stream; there were no confirmed reports of widespread action at the time of disclosure.

---

What Reprompt actually does — high‑level overview​

At a glance, Reprompt is notable because it requires almost no attacker sophistication beyond crafting a URL and a scaleable distribution channel (email, SMS, social posts). The technique works by:

• Using a legitimate Copilot deep link that includes a prefilled prompt in the URL (the q parameter).
• Embedding natural‑language instructions inside that parameter so Copilot executes them as if the user typed them.
• Exploiting a weakness in Copilot’s enforcement model by instructing the assistant to repeat or refine requests (a “do it twice” bypass), which can let a second invocation return content the first one did not.
• Handing follow‑up control to an attacker backend that sends successive instructions to the live chat, extracting small pieces of context or profile data and sending them to attacker‑controlled endpoints.

The result: one click; one authenticated session used as the exfiltration conduit; an attacker that can keep querying the assistant until the session token is invalidated.

---

Anatomy of the attack — technical breakdown​

1) Parameter‑to‑Prompt (P2P) injection​

Many web UIs for AI assistants support “deep links” that prepopulate the assistant input via a query parameter (for example: copilot.microsoft.com/?q=Summarize%20my%20last%20message). That feature exists to improve sharing and automation workflows.
Reprompt abuses that q parameter by encoding attacker instructions into it so that when a victim clicks the link, Copilot ingests the text and treats it exactly like typed input under the victim’s authenticated session. Because the link can be hosted on a Microsoft domain, it appears trustworthy to filters and to users.

2) Double‑request / repetition bypass​

Copilot implements client‑side and model‑side guardrails designed to prevent dangerous actions (for example, blocking direct fetches or redacting obvious secrets). Varonis’ PoC showed those guardrails were applied primarily to the initial request.
By instructing the assistant to “try again,” “do it twice,” or otherwise repeat the operation, the attacker can engineer a second invocation that succeeds where the first was blocked or redacted. This small procedural trick defeats naive one‑shot enforcement logic.

3) Chain‑request orchestration (server‑driven follow‑ups)​

Once the first injected prompt is accepted, the attacker’s remote server can reply with context‑aware follow‑up instructions that use the assistant’s previous outputs to craft the next step. Those follow‑ups can request:

• Profile details (display name, inferred location),
• Short summaries of recently opened files,
• Snippets of chat memory or previously stored context,
• Or encoded, incremental exfiltration payloads that avoid DLP volume triggers.

In some PoC variants, Varonis demonstrated that the chain could continue even after the user closed the Copilot interface, effectively letting the attacker “zombify” the session until the token expired. That stealthy chaining is what makes detection difficult: each transaction looks small and innocuous by itself.

---

Scope: which products were affected​

• The publicly documented PoC targeted Copilot Personal (consumer) experiences. Multiple reports and the Varonis write‑up emphasize the consumer surface as the affected area.
• Microsoft’s enterprise offering, Microsoft 365 Copilot, was reported in coverage and by Varonis to be not affected in the same way because tenant governance (Purview auditing, tenant‑level DLP and admin controls) provides additional enforcement that the consumer flows did not. That difference is important for organizations that separate consumer and tenant‑managed experiences.
• Public CVE/tracker entries and vendor advisories associated with the remediation were published in late January 2026; there is some variation in third‑party trackers about which CVE number maps to which narrative, so administrators should always verify CVE entries on Microsoft’s official MSRC/Update Guide pages.

Caution: some community threads and feeds listed different CVE identifiers for related Copilot disclosures. Those discrepancies are not unusual during rapidly evolving disclosures; use Microsoft’s Security Update Guide for the authoritative mapping to KBs and builds.

---

Timeline and vendor response — what’s verified​

• Varonis published the Reprompt write‑up and PoC on January 14, 2026, after coordinating disclosure.
• Multiple industry outlets reported Microsoft deployed mitigations in the mid‑January 2026 Patch Tuesday update cycle; independent coverage placed the remedial roll‑out around January 13–14, 2026.
• Public trackers and the Microsoft Security Update Guide list one or more CVE entries and security updates associated with Copilot fixes; administrators should confirm the exact KB numbers and build revisions against their device fleet using Microsoft’s update portal and WSUS/Intune console.

At the time of disclosure there were no confirmed reports of mass exploitation in the wild, but defenders were advised to act quickly because the attack is low‑friction and highly scalable via phishing.

---

Immediate actions for end users​

• Treat any Copilot deep link (a link that opens or pre‑fills an AI assistant) as potentially malicious unless you can verify the sender and context.
• If Copilot behaves oddly or asks for personal data unexpectedly, immediately close the session, delete unfamiliar chats, sign out of the app, and sign back in to invalidate local session state. Varonis’ recommendations explicitly include user‑level session reset steps.
• Apply Windows and Microsoft 365 updates promptly. The Reprompt mitigations were included in the January 2026 Patch Tuesday releases; patching removes the specific PoC vector.
• Avoid pasting secrets, credentials, API keys, or personally identifying data into any consumer AI assistant. If you already have, rotate those credentials immediately.
• Use reputable, third‑party anti‑malware and anti‑phishing tools and keep signature/heuristics and browser updates current. While endpoint tools can’t fully defend against vendor‑hosted flows, they still reduce overall phishing risk.

---

Immediate actions for IT teams and administrators​

• Patch first: confirm deployment of the January 2026 updates that address the Copilot fixes across all managed endpoints (check WSUS/Intune and the Microsoft Security Update Guide for exact KB numbers).
• Restrict Copilot Personal on corporate devices until you’ve validated client versions and telemetry: consider blocking consumer Copilot flows via policy, or mandate Microsoft 365 Copilot under tenant governance for work data.
• Tighten Entra (Azure AD) consent policies and app approvals: limit who can install or approve agents, connectors, or third‑party published deep links that could target enterprise users.
• Audit DLP and Purview controls for sensitive workloads; enforce policies to prevent consumer assistant flows from accessing regulated data or system resources. Enterprise Copilot benefits from these tenant controls — consumer surfaces do not.
• Instrument telemetry: monitor for unusual Copilot outbound requests and anomalous deep‑link activations; ask vendor support for enriched logs when investigating suspected incidents.

---

Detection, forensics, and indicators of compromise​

Reprompt’s stealth stems from low‑volume, vendor‑hosted flows. Traditional network DLP and egress monitors may not flag traffic to trusted vendor domains, so defenders should:

• Correlate local browser/OS events with Copilot process activity and unusual outbound requests to nonstandard endpoints.
• Look for sequences of small, structured outbound fetches following a deep‑link activation event — the chain‑request pattern often uses staged URLs that evolve based on context.
• Monitor for sudden spikes in Copilot activity after a user clicks a deep link, and validate any unusual follow‑up requests to external servers or obscure domains.
• If suspicious activity is found, rotate affected session tokens and credentials, and perform a scoped verification of recently accessed files and shared content.

Varonis suggested specific telemetry signals and recommended vendors provide hardened Known‑Issue Responses (KIRs) for defenders; get those KIRs from Microsoft if you need vendor correlation.

---

Why Reprompt matters beyond a single patch​

Reprompt isn’t only about a single bug in Copilot; it exposes a broader, architectural challenge:

• Convenience features (deep links, prefilled prompts, server‑driven follow‑ups) implicitly trust external inputs. If those inputs are not treated as untrusted throughout the assistant’s lifecycle, they become remote prompt‑injection channels.
• Enforcement that only checks the “first pass” is brittle. Assistants must maintain safety semantics across repeated invocations, refinements, and chained server interactions.
• Vendor‑hosted flows complicate detection: exfiltration inside trusted domains weakens the visibility of endpoint and network controls and demands stronger vendor telemetry and auditing primitives.
• Consumer AI surfaces used for work tasks on corporate devices expand the attack surface. The logical separation between consumer and enterprise Copilot experiences matters; organizations should prefer tenant‑governed instances where possible.

---

Strengths and responsible aspects of the response​

• The researchers followed coordinated disclosure and made a detailed, reproducible PoC available; that transparency gave vendors, admins and the public the information required to act quickly. The Varonis write‑up includes diagrams and step‑by‑step chains that make mitigation practical.
• Microsoft responded within the January Patch Tuesday window to mitigate the vector for Copilot Personal users. Multiple independent outlets reported on the fixes and urged patching.
• The episode has already catalyzed practical defensive guidance: block consumer Copilot on managed devices where governance is required, apply DLP, and treat AI deep links as high‑risk phishing lures.

---

Risks, caveats, and unresolved questions​

• The public PoC was developed under lab conditions; absence of confirmed mass exploitation does not equal impossibility that threat actors weaponized the technique before or after disclosure. The low technical bar and the ease of distribution via phishing make Reprompt inherently attractive.
• There is some inconsistency in third‑party CVE trackers and feeds about which CVE maps to which public write‑up. Administrators should rely on Microsoft’s Security Update Guide (MSRC) and direct KB mappings for authoritative remediation steps.
• The fix for the specific PoC does not eliminate the underlying design class: any assistant that accepts external prefilled prompts, performs fetches, or accepts server‑driven follow‑ups must be hardened against prompt‑injection chaining. Vendors and platform architects will need to redesign enforcement so safety checks persist across conversational state.

Cautionary note: claims about private disclosure dates or internal timelines are often reported in community threads and should be treated cautiously unless confirmed by the vendor or the research team. Public advisories occasionally omit granular disclosure timelines for operational reasons.

---

Practical checklist — immediate to medium term​

• Immediate (0–7 days)
• Confirm January 2026 Patch Tuesday updates are installed across endpoints.
• Block or restrict Copilot Personal on corporate devices until you’ve validated versions and policies.
• Run an urgent user awareness advisory that flags AI deep links as high‑risk and instructs users not to click unexpected Copilot links.
• Short term (1–3 months)
• Harden Entra consent and app installation policies; restrict who can publish or approve agents and demo pages.
• Integrate Copilot telemetry into SIEM/EDR workflows and correlate deep‑link activations with outbound network patterns.
• Medium term (3–12 months)
• Evaluate tenant‑governed Copilot offerings for regulated workflows.
• Engage vendors for improved audit trails and KIRs; require persistent enforcement semantics across conversational turns and remote follow‑ups.

---

Longer‑term platform and policy implications​

This incident should force product teams and security architects to reexamine assumptions about “trusted domains” and user intent. Designing AI assistants requires:

• Treating external inputs (URLs, deep links, page content) as untrusted by default.
• Applying enforcement continuously across the conversational state, not only at the first invocation.
• Offering enterprise‑grade governance, semantic DLP, and robust audit trails for both consumer and tenant surfaces.
• Exposing clear administrative controls that let organizations disable consumer flows on managed devices.

If these architectural principles are not universally adopted, vendors will continue to see practical prompt‑injection chains and agentic abuse patterns that are easy to scale with phishing.

---

Conclusion​

Reprompt is a wake‑up call: convenience features in AI assistants — deep links, prefilled prompts and server‑driven follow‑ups — can be composed into powerful, low‑cost exploitation techniques. The attack demonstrated by Varonis relied on legitimate UX affordances and simple procedural tricks to bypass enforcement, and while Microsoft has patched the specific vector in Copilot Personal, the broader design lessons remain urgent.
For everyday users: be skeptical of any link that opens an AI chat or pre‑fills a prompt; patch promptly; and avoid sharing secrets with consumer assistants.
For administrators and vendors: verify patches, enforce tenant governance, harden consent and DLP policy, and redesign assistant architectures to treat external inputs as explicitly untrusted across the entire conversational life cycle. The industry must build semantic, stateful enforcement that survives repetition and chaining — otherwise convenience will continue to become a vector for abuse.

---

Source: Techlicious Think Twice Before Clicking Links That Open AI Chats