Reprompt attack enables single-click data theft from Microsoft Copilot

Researchers have uncovered a new AI security flaw called Reprompt that enables attackers to silently steal data from Microsoft Copilot using a single malicious link.

What happened

Security researchers discovered that attackers can weaponize a legitimate Microsoft Copilot URL to silently steal data from a user’s Copilot session. The attack requires only one click on a trusted Microsoft link, making it particularly dangerous in phishing or social engineering campaigns.

Unlike conventional cyberattacks, Reprompt does not rely on malicious downloads, browser exploits, or credential theft. Instead, it abuses Copilot’s built-in prompt handling to trigger unauthorized actions automatically once the link is opened.

According to the researchers, the attack works even when users do not actively interact with Copilot after clicking the link.

Going deeper

According to Hacker News, the Reprompt attack is a sophisticated form of indirect prompt injection, exploiting how Microsoft Copilot processes URL query parameters.

At a technical level, the attack unfolds in three key stages:

1. URL-based prompt injection: Attackers embed hidden instructions inside the q parameter of a Microsoft Copilot URL. When clicked, Copilot interprets the parameter as a legitimate user prompt.
2. Guardrail bypass: The malicious prompt instructs Copilot to repeat or re-issue commands in a way that bypasses built-in safety controls. This allows the AI to act on sensitive data requests that would normally be blocked.
3. Stealthy data exfiltration: After the initial click, Copilot begins communicating with an attacker-controlled server. From there, follow-up instructions are dynamically issued, enabling the attacker to extract additional data without further user action or visible prompts.

The full attack chain unfolds after the first interaction; therefore, security teams cannot determine what data is being accessed by simply inspecting the original link.

What was said

Researchers stressed that the root of Reprompt lies in AI systems' inability to distinguish between instructions typed directly by a user and those delivered via external requests. This ambiguity opens the door for indirect prompt injections when untrusted data is parsed.

In the know

In 2024, researchers identified a similar AI security vulnerability involving ChatGPT. The researchers demonstrated that attackers could exploit a prompt injection flaw in ChatGPT by embedding malicious instructions inside shared documents connected through third-party integrations such as cloud storage platforms.

Both the ChatGPT and Microsoft Copilot cases exploit generative AI systems' inability to differentiate between trusted user input and untrusted external content reliably.

As AI assistants gain access to emails, clinical documentation, scheduling systems, and potentially electronic protected health information (ePHI), these vulnerabilities create new avenues for unauthorized disclosures. In such cases, organizations may face HIPAA compliance violations, breach notification obligations, and regulatory penalties.

Read more: Hackers exploit ChatGPT flaw to steal data

Why it matters

Taken together, the Copilot Reprompt attack and the earlier ChatGPT prompt injection findings show how attackers no longer need to compromise endpoints or steal credentials; instead, they can exploit the AI layer itself, transforming trusted productivity tools into covert data exfiltration mechanisms.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What steps can organizations take to reduce AI-related security risks?

Organizations can limit AI access to sensitive data, implement strict access controls, monitor AI-driven activity, train staff on AI risks, and regularly review vendor security updates and disclosures.

Is prompt injection considered a data breach under HIPAA?

Prompt injection itself is not automatically a HIPAA breach. However, if the attack results in unauthorized access, use, or disclosure of electronic protected health information (ePHI), it may qualify as a reportable data breach under HIPAA.

Can AI-generated activity logs help detect these attacks?

AI activity logs may help with post-incident analysis, but they are often insufficient for real-time detection. Prompt injection attacks can occur without obvious indicators such as malware, suspicious logins, or abnormal network traffic.