Overview
- Varonis Threat Labs disclosed the Reprompt technique to Microsoft on August 31, 2025, and the company issued a fix on January 13, 2026’s Patch Tuesday.
- The attack injected instructions via Copilot’s 'q' URL parameter, then used a double-request bypass and server-driven chain requests to sustain covert exfiltration.
- A single click on a phishing link let attackers control a user’s Copilot Personal session even after the chat window closed, pulling data such as name, location, and chat history details.
- Microsoft and Varonis say the issue affected Copilot Personal, while Microsoft 365 Copilot for enterprises was not impacted due to added protections like tenant-level DLP and Purview auditing.
- Researchers report no known in-the-wild exploitation, but warn that detection is difficult because follow-up commands come from the attacker’s server, so users should update immediately and avoid suspicious links.