Overview
- Varonis Threat Labs reported the issue to Microsoft on August 31, 2025, and the fix shipped with January 2026 Patch Tuesday.
- The attack used the 'q' URL parameter to auto-execute hidden instructions with a single click, then kept working after the chat window was closed.
- Researchers chained Parameter-to-Prompt injection, a double-request trick to bypass initial safeguards, and a chain-request method to sustain exfiltration.
- A proof-of-concept pulled a user secret plus name, location, and chat-history details to an attacker-controlled server, evading client-side monitoring.
- Microsoft says Microsoft 365 Copilot was not affected, no in-the-wild exploitation is known, and users should update and treat external inputs as untrusted.