By Ionut Arghire
Publication Date: 2026-01-15 12:09:00
Security researchers at Varonis have discovered a new attack that allowed them to exfiltrate user data from Microsoft Copilot using a single malicious link.
Dubbed Reprompt, the attack bypassed the LLMs data leak protections and allowed for persistent session exfiltration even after the Copilot was closed, Varonis says.
The attack leverages a Parameter 2 Prompt (P2P) injection, a double-request technique, and a chain-request technique to enable continuous, undetectable data exfiltration.
The Reprompt Copilot attack starts with the exploitation of the ‘q’ parameter, which is used on AI platforms to deliver a user’s query or prompt via a URL. All it takes is for the user to click on the link.
“By including a specific question or instruction in the q parameter, developers and users can automatically populate the input field when the page loads, causing the AI system to execute the prompt immediately,” Varonis explains.
A threat actor, the cybersecurity…
