Cybersecurity researchers disclosed on Jan 15, 2026 a method called Reprompt that could let attackers exfiltrate data from AI chatbots such as Microsoft Copilot with a single click, bypassing enterprise controls in a report by Varonis
KEY FACTS
- Incident New attack method named Reprompt targets AI chatbots
- Affected product Demonstrated against Microsoft Copilot
- Vector Single click on a crafted Copilot URL with a “q” parameter
- Status Microsoft addressed the issue and enterprise Copilot customers are not affected
The technique chains three behaviors to create a hidden exfiltration channel. It injects instructions via Copilot’s “q” URL parameter. It instructs the assistant to repeat actions so initial data-leak safeguards are bypassed. It then triggers a back-and-forth exchange with an attacker server that can deliver follow up commands.
An attacker can deliver a legitimate Copilot link to a target by email or other means. A single click opens Copilot with the injected prompt. No plugins or additional user interaction with Copilot are required and the session can continue after the chat window is closed.
The approach creates a blind spot because subsequent commands come from the attacker’s server rather than from the initial URL. That makes it hard to determine what data is being requested by inspecting the starting prompt. The report warns the server can probe for progressively more sensitive information.
Microsoft addressed the vulnerability and the disclosure notes enterprise customers using Microsoft 365 Copilot are not affected. Recommended mitigations include limiting agent privileges, restricting agent access to business critical information, monitoring AI activity, and exercising caution with links to AI assistants.
WHY IT MATTERS
Reprompt can turn an AI assistant into an invisible channel for data exfiltration without extra user action. As AI agents gain broader access to corporate data the potential blast radius from a single flaw increases, making layered defenses and monitoring essential.