Microsoft patched a vulnerability in its Copilot AI assistant after white-hat researchers from security firm Varonis demonstrated a multistage attack that exfiltrated sensitive user data with a single click on a legitimate Copilot URL.
In the proof-of-concept, the attacker directed users to a legitimate Copilot link that loaded a malicious prompt via the q parameter. Copilot Personal then embedded details from the user’s Copilot chat into outbound web requests, exposing the target’s name, location, and event details.
The attack continued to run even after the user closed the Copilot chat, requiring no further interaction once the link was clicked.
The chain bypassed enterprise endpoint protections and detection by endpoint protection apps, highlighting how a well-crafted prompt could operate outside typical security controls.
Varonis described guardrails in Copilot that were designed to prevent data leakage, but researchers found that the guardrails applied mainly to the initial request. By repeating prompts, the attacker could extract data across several stages, a tactic Microsoft has begun addressing with changes to Copilot’s safeguards.
Varonis disclosed the attack and released materials illustrating Reprompt, a name the firm gave to the tactic. Microsoft has stated that Copilot Personal was affected, while Copilot for Microsoft 365 was not.
