Overview
- Varonis Threat Labs disclosed the technique to Microsoft on August 31, 2025, and publicly detailed the research with a proof-of-concept after the fix was released.
- The attack abused the 'q' URL parameter to auto-run a prompt on load, then used a double-request and a chain of follow-ups to bypass safeguards and extract data.
- Varonis found the exploit could persist even after the Copilot window was closed by leveraging the victim’s authenticated session.
- Microsoft said the issue applied to Copilot Personal and confirmed Microsoft 365 Copilot enterprise customers were not affected.
- No exploitation has been reported in the wild, and Microsoft’s January 13 Patch Tuesday update includes the fix, with users urged to apply updates and be wary of links that open AI assistants.