The Silent Listener: How “Reprompt” Hijacks Microsoft Copilot with One Click

Security analysts at Varonis have unveiled a sophisticated offensive targeting Microsoft’s AI assistant, designated as Reprompt. This maneuver empowers an adversary to hijack a user’s session and clandestinely exfiltrate sensitive personal data. Although a security remediation has since been deployed, the underlying mechanics of the assault have incited profound concern, particularly given the ubiquitous integration of Copilot across Windows and its ancillary ecosystems.

According to the research collective, the incursion is predicated upon concealing a deleterious prompt within a seemingly innocuous hyperlink. Upon interaction, Copilot autonomously processes the embedded command, granting the assailant access to the active AI session—a persistence that endures even after the browser tab is shuttered. Reprompt necessitates neither the installation of extensions nor supplemental utilities; it executes via a singular click to facilitate covert data exfiltration.

The primary vulnerability resided in the capacity to transmit instructions through the “q” parameter within the URL, which Copilot interprets as a legitimate query. When a malicious command is meticulously structured, the AI executes it without the user’s cognizance. However, achieving a consistent data leak requires more than a solitary interaction. The architects of this methodology synthesized several approaches to circumvent defensive filters and establish a resilient, bidirectional communication channel between Copilot and an external command-and-control server.

The study delineates a scenario in which an attacker dispatches a link masquerading as a legitimate resource. Following the user’s engagement, the AI fulfills the embedded directive and subsequently awaits further instructions from the adversary’s server. These subsequent requests remain invisible to client-side security systems, as they are transmitted following the initial handshake.

One specific stratagem—the re-submission of a prompt—serves to bypass Copilot’s internal filters, which are primarily calibrated to scrutinize the initial input. For instance, to exfiltrate a sensitive passphrase, the attackers coerced Copilot into repeating an action; while the first attempt was scrutinized, the second iteration successfully returned the confidential data.

The Varonis team demonstrated how this technique could be leveraged to silently harvest correspondence and other personal telemetry accessible to the AI. A video demonstration illustrates the attack commencing with a standard electronic missive containing the malicious link. Once accessed, Copilot receives its directives and relays the information to a remote server. Forensic analysis of the initial query fails to predetermine the scope of the exfiltration, as the primary payload is delivered subsequently from the remote node.

Microsoft was alerted to this vulnerability in August of the previous year; however, a formal resolution was only disseminated on January 14 as part of a scheduled security update. While there is currently no evidence of Reprompt being weaponized in the wild, the immediate installation of the latest Windows updates is strongly exhorted.

Varonis emphasized that this flaw specifically impacted the personal iteration of Copilot integrated into the Edge browser and other consumer products. Conversely, the enterprise-grade Microsoft 365 Copilot remained insulated due to robust administrative controls, including auditing via Purview, tenant-level restrictions, and stringent data loss prevention (DLP) policies.