Researchers have uncovered a new AI security flaw called Reprompt that enables attackers to silently steal data from Microsoft Copilot using a single malicious link.
Security researchers discovered that attackers can weaponize a legitimate Microsoft Copilot URL to silently steal data from a user’s Copilot session. The attack requires only one click on a trusted Microsoft link, making it particularly dangerous in phishing or social engineering campaigns.
Unlike conventional cyberattacks, Reprompt does not rely on malicious downloads, browser exploits, or credential theft. Instead, it abuses Copilot’s built-in prompt handling to trigger unauthorized actions automatically once the link is opened.
According to the researchers, the attack works even when users do not actively interact with Copilot after clicking the link.
According to Hacker News, the Reprompt attack is a sophisticated form of indirect prompt injection, exploiting how Microsoft Copilot processes URL query parameters.
At a technical level, the attack unfolds in three key stages:
The full attack chain unfolds after the first interaction; therefore, security teams cannot determine what data is being accessed by simply inspecting the original link.
Researchers stressed that the root of Reprompt lies in AI systems' inability to distinguish between instructions typed directly by a user and those delivered via external requests. This ambiguity opens the door for indirect prompt injections when untrusted data is parsed.
In 2024, researchers identified a similar AI security vulnerability involving ChatGPT. The researchers demonstrated that attackers could exploit a prompt injection flaw in ChatGPT by embedding malicious instructions inside shared documents connected through third-party integrations such as cloud storage platforms.
Both the ChatGPT and Microsoft Copilot cases exploit generative AI systems' inability to differentiate between trusted user input and untrusted external content reliably.
As AI assistants gain access to emails, clinical documentation, scheduling systems, and potentially electronic protected health information (ePHI), these vulnerabilities create new avenues for unauthorized disclosures. In such cases, organizations may face HIPAA compliance violations, breach notification obligations, and regulatory penalties.
Read more: Hackers exploit ChatGPT flaw to steal data
Taken together, the Copilot Reprompt attack and the earlier ChatGPT prompt injection findings show how attackers no longer need to compromise endpoints or steal credentials; instead, they can exploit the AI layer itself, transforming trusted productivity tools into covert data exfiltration mechanisms.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Organizations can limit AI access to sensitive data, implement strict access controls, monitor AI-driven activity, train staff on AI risks, and regularly review vendor security updates and disclosures.
Prompt injection itself is not automatically a HIPAA breach. However, if the attack results in unauthorized access, use, or disclosure of electronic protected health information (ePHI), it may qualify as a reportable data breach under HIPAA.
AI activity logs may help with post-incident analysis, but they are often insufficient for real-time detection. Prompt injection attacks can occur without obvious indicators such as malware, suspicious logins, or abnormal network traffic.