One-click 'Reprompt' attack could exfiltrate Microsoft Copilot user data

Varonis Threat Labs published research detailing a one-click attack called "Reprompt" that bypassed Microsoft Copilot security controls and could exfiltrate user data from Microsoft's Copilot Personal, the team said. The attack required only a user to click a link and abused the 'q' URL parameter to feed a prompt and malicious instructions to Copilot.

Reprompt chained three techniques—Parameter 2 Prompt (P2P) injection, a double-request that forced actions to run, and a chain-request that issued follow-up instructions—to extract information, including data previously submitted by the user. Varonis said the method was difficult to detect because user- and client-side monitoring tools could not see it and it bypassed built-in security mechanisms.

"Copilot leaks the data little by little, allowing the threat to use each answer to generate the next malicious instruction," the team added. A proof-of-concept video demonstration is available, the researchers said. Varonis privately disclosed Reprompt to Microsoft on Aug 31, 2025; Microsoft patched the vulnerability before public disclosure and confirmed enterprise users of Microsoft 365 Copilot were not affected.

"We appreciate Varonis Threat Labs for responsibly reporting this issue," a Microsoft spokesperson told ZDNET.

Key Topics

Tech, Microsoft Copilot, Reprompt, Varonis Threat Labs, Q Url Parameter, Data Exfiltration