January 17, 2026 – Security researchers have disclosed a critical vulnerability in Microsoft Copilot that allowed attackers to steal sensitive user data through a single mouse click. The exploit, dubbed “Reprompt” by Varonis Threat Labs, manipulated how the AI chatbot processed URL parameters to execute malicious commands silently.
Microsoft has patched the flaw following a responsible disclosure process. The company confirmed the vulnerability affected the consumer version of Copilot but stated that Microsoft 365 Copilot for enterprise users remained secure.
The “Reprompt” Mechanism
The attack exploited a technique called Parameter 2 Prompt (P2P) injection. The vulnerability existed in the q URL parameter, which Microsoft uses to pre-fill prompts when a user opens Copilot via a link.
By crafting a specific URL, attackers could inject instructions that the AI executed immediately upon the page loading. The research team discovered that simply injecting a prompt was often caught by safety filters. To overcome this, they developed a bypass technique involving two key steps:
Double-Request Bypass: The malicious prompt instructed Copilot to repeat its output. Researchers found that while the initial malicious output might be flagged and blocked, the repetition often bypassed the safety filter, allowing the command to execute.
Chain-Request Exfiltration: Once the prompt executed, it established a connection to an external, attacker-controlled server. This turned the chat session into a listener that accepted new commands remotely.
Silent and Persistent Access
The severity of Reprompt lay in its stealth. Unlike attacks requiring credential entry or file downloads, this exploit needed only one click on a legitimate copilot.microsoft.com link.
Once the victim clicked the link, the “Reprompt” payload activated. The attacker could then perform the following actions without further user interaction:
Data Exfiltration: Summarize and transmit emails or documents accessible to the AI.
Context Theft: Access the user’s location and previous chat history.
Persistence: The connection to the attacker’s server remained active even if the user attempted to close the specific chat window.
Varonis researcher Dolev Taler noted that the attack allowed for “stealthy data exfiltration” where the victim would see a standard chat interface while the AI worked in the background to steal data.
Mitigation and Industry Impact
Microsoft deployed a fix to block this specific P2P injection vector before the vulnerability was made public. No user action is required to apply the patch.
This incident highlights a growing class of vulnerabilities specific to Large Language Models (LLMs). As AI tools increasingly integrate with external applications and data, “AI deep links”—URLs that auto-load context—become attractive targets for threat actors.
Actionable Insights for Security Professionals:
Monitor AI Interaction: Security teams should monitor for unusual outbound traffic patterns originating from AI-integrated applications.
Validate Input Sanitization: Developers integrating LLMs must ensure URL parameters and external inputs cannot override system prompts or safety guardrails.
User Awareness: Update security awareness training to include the risks of clicking pre-filled AI prompt links, even when they point to trusted domains like Microsoft or Google.
