A newly discovered attack method called Reprompt allows attackers to take over Copilot.
Security researchers have discovered an attack technique that allows attackers to take over and abuse an active session of Microsoft Copilot to steal sensitive data. The method is called Reprompt and requires only one click from the victim on a phishing link.
Malicious prompt in URL
The attack was discovered by researchers at Varonis, writes Bleeping Computer. They demonstrated that Copilot accepts prompts via the q-parameter in a URL and automatically executes them when the page is loaded. By hiding a malicious prompt in that parameter and distributing the link via phishing, Copilot can execute commands on behalf of the user, without their knowledge.
After the first click, the existing, logged-in Copilot session remains active, even if the tab is closed. This makes it possible to send follow-up commands in the background and steal data, such as conversation history or other Microsoft data.
Security bypassed
Reprompt combines multiple techniques, including repeating and chaining requests. As a result, Copilot’s data leak protections, which are mainly active during the first request, are bypassed. Because the real instructions only come later from an external server, it is difficult for security tools to see which data is being stolen.
Varonis responsibly reported the vulnerability to Microsoft in August 2025. The problem has since been resolved with the security updates of Patch Tuesday in January 2026. Abuse has not been identified, but it is recommended to update systems as soon as possible. Reprompt only affected Copilot Personal and not Microsoft 365 Copilot for businesses. It is now clear that Copilot can be hacked.