Varonis Threat Labs disclosed a prompt-injection attack chain dubbed Reprompt that enabled one-click data theft from Microsoft Copilot by abusing how Copilot accepts prompts via a URL. The technique relied on the q URL parameter to auto-populate and execute attacker-supplied instructions when a victim clicked a crafted Copilot link, requiring no plugins, connectors, or additional user-entered prompts. Researchers reported the method could expose sensitive information previously available in the Copilot session, including PII, and could continue exfiltration even after the Copilot chat window was closed.
The reported attack flow chained multiple techniques to bypass Copilot’s protections, including Parameter-to-Prompt (P2P) injection via the q parameter and a double-request bypass in which safeguards applied to an initial request but could be defeated by forcing Copilot to repeat the task, leading to disclosure on a subsequent attempt. Varonis also described chain-request exfiltration to maintain covert control of the session and progressively extract data. Reporting indicates Microsoft took action in response to the research, though the core risk highlighted is that URL-triggered prompt execution and multi-step request chaining can undermine AI assistant guardrails if not consistently enforced across requests and session states.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Varonis Threat Labs publicly disclosed 'Reprompt,' describing a one-click attack in which a crafted Copilot link injected prompts through the 'q' URL parameter, used repeated requests to bypass protections, and silently exfiltrated sensitive data. The researchers said the attack could persist after the chat window was closed and was difficult for client-side monitoring tools to detect.
Microsoft fixed the Copilot flaw before public disclosure, with reporting indicating the patch was included in its January 2026 security updates. Microsoft said Microsoft 365 Copilot enterprise customers were not affected.
Varonis Threat Labs privately notified Microsoft of the 'Reprompt' vulnerability, a prompt-injection technique that abused a Copilot URL parameter to bypass guardrails and enable data exfiltration. The issue affected Copilot Personal rather than Microsoft 365 Copilot enterprise users.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
techrepublic.com
Open sourcezdnet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.