Varonis — Reprompt: single-click Copilot prompt injection chain for silent data exfiltration

2026-01-30 • Category: Security

• Claim (research): Varonis Threat Labs describes Reprompt, an attack flow against Microsoft Copilot Personal where a single click on a legitimate link can start a prompt-driven exfiltration chain.
• Entry point: The technique uses a deep-link pattern where the q URL parameter pre-fills (and can auto-execute) a prompt.
• Bypassing “first-request” guardrails: The writeup claims certain leak protections applied to an initial request, but could be bypassed by instructing Copilot to repeat actions (a “double-request” behavior).
• Stealthy follow-ups: In the “chain-request” pattern, Copilot fetches attacker-controlled URLs that respond with the next instructions, enabling iterative exfiltration.
• Why it’s hard to spot: If the real instructions arrive from the attacker’s server after the first click, the initial prompt may look benign while the later steps do the damage.
• Persistence (session): The report claims the process can continue even if the user closes the Copilot tab, because it leverages the victim’s active session.
• Scope note: Varonis states it affected Copilot Personal and that Microsoft 365 Copilot (enterprise) was not impacted.
• Status: Varonis says Microsoft confirmed the issue is patched.

Why it matters

• “One-click” is the new phishing bar: Deep links that carry prompts are UX-friendly, but they also reduce attacker friction to almost zero.
• Prompt injection without plugins: This isn’t “install a risky connector” — it’s leveraging default product behavior (pre-filled prompts + web requests).
• Design lesson: If guardrails apply only to the first tool/web call, attackers will structure flows to move the sensitive step to request #2.

What to do

1. Assume prompt deep-links are untrusted input: Treat ?q=... (and equivalents) as a security boundary; require explicit user confirmation before executing pre-filled prompts.
2. Make protections “sticky”: Apply DLP / URL-fetch controls across the entire chain, not just the first request.
3. Constrain web fetching: If your assistant can retrieve URLs, enforce allowlists, block private IP ranges, and log all outbound fetches.
4. Hunt for patterns: Detect repeated identical “tool calls” or repeated outbound fetches to newly seen domains (a typical chaining signal).
5. User training: Teach staff that “it’s a Microsoft link” doesn’t mean the embedded prompt is safe — check the prefilled text before proceeding.

Sources

• Varonis Threat Labs (primary): Reprompt: The Single-Click Microsoft Copilot Attack that Silently Steals Your Personal Data
• BleepingComputer (secondary coverage): Reprompt attack hijacked Microsoft Copilot sessions for data theft
• Tenable (related deep-link parameter research referenced by Varonis): TRA-2025-22
• LayerX (related, referenced by Varonis): Cometjacking