Security researchers disclosed Reprompt, a single-click attack against Microsoft Copilot Personal that enabled stealthy exfiltration of sensitive user data by abusing a legitimate Copilot URL containing a malicious q parameter. After a victim clicks the link (typically delivered via phishing), the crafted URL triggers Parameter-to-Prompt (P2P) injection, auto-executing attacker-controlled prompts within the victim’s authenticated Copilot session; researchers reported the attacker can maintain control and continue querying data even after the Copilot window/tab is closed. Microsoft has patched the issue.
Varonis Threat Labs described an attack chain that combines three techniques to bypass Copilot’s guardrails and evade detection: P2P injection (prompt injection via the q parameter on page load), Double-Request (leveraging the observation that leak protections may apply to the first request but not a repeated action), and Chain-Request (server-driven, sequential follow-up prompts that adapt based on prior responses). Reported exposed data includes personally identifiable information (PII) and other Copilot-accessible context such as conversation memory and user details (e.g., location and activity/history), with the staged prompting designed to appear benign while progressively leaking information to attacker-controlled infrastructure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
In response to the disclosure, Microsoft stated that Microsoft 365 Copilot enterprise customers were not impacted by the vulnerability. Coverage said enterprise protections and the pre-disclosure patching meant the issue did not affect those users.
On public disclosure, Varonis described a multistage attack chain using Parameter-to-Prompt injection, a double-request guardrail bypass, and chained follow-on prompts to exfiltrate sensitive Copilot chat data after a single click. Reports said the issue affected Microsoft Copilot Personal, could persist after the chat window was closed, and that no in-the-wild exploitation had been observed.
Microsoft fixed the Reprompt vulnerability before public disclosure, with multiple reports tying the remediation to the January 2026 Patch Tuesday release. The patch was released on Patch Tuesday, preventing the disclosed one-click attack chain against affected Copilot users.
Varonis Threat Labs responsibly disclosed a one-click data-exfiltration issue in Microsoft Copilot to Microsoft. The report said the attack abused the Copilot "q" URL parameter to inject prompts and hijack an authenticated session.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethehackernews.com
Open sourcemalwarebytes.com
Open sourcearstechnica.com
Open sourcecybersecuritynews.com
Open sourcezdnet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.