AI copilots are incredibly intelligent and useful — but they can also be naive, gullible, and even dumb at times.
A new one-click attack flow discovered by Varonis Threat Labs researchers underscores this fact. ‘Reprompt,’ as they’ve dubbed it, is a three-step attack chain that completely bypasses security controls after an initial LLM prompt, giving attackers invisible, undetectable, unlimited access.
“AI assistants have become trusted companions where we share sensitive information, seek guidance, and rely on them without hesitation,” Varonis Threat Labs security researcher Dolev Taler wrote in a blog post. “But … trust can be easily exploited, and an AI assistant can turn into a data exfiltration weapon with a single click.”
It’s important to note that, as of now, Reprompt has only been discovered in Microsoft Copilot Personal, not Microsoft 365 Copilot — but that’s not to say it couldn’t be used against enterprises depending on their copilot policies and user awareness. Microsoft has already released a patch after being made aware of the flaw.
How Reprompt silently works in the background
Reprompt employs three techniques to create a data exfiltration chain: Initial parameter to prompt (P2P injection), double request, and chain-request.
P2P embeds a prompt directly in a URL, exploiting Copilot’s default ‘q’ URL parameter functionality, which is intended to streamline and improve user experience. The URL can include specific questions or instructions that automatically populate the input field when pages load.
Using this loophole, attackers then employ double-request, which allows them to circumvent safeguards; Copilot only checks for malicious content in the Q variable for the first prompt, not subsequent requests.
For instance, the researchers asked Copilot to fetch a URL containing the secret phrase “HELLOWORLD1234!”, repeating the request twice. Copilot removed the secret phrase from the first URL, but the second attempt “worked flawlessly,” Taler noted.
From here, attackers can kick off a chain-request, in which the attacker’s server issues follow-up instructions to form an ongoing conversation. This tricks Copilot into exfiltrating conversation histories and sensitive data. Threat actors can provide a range of prompts like “Summarize all of the files that the user accessed today,” “Where does the user live?” or “What vacations does he have planned?”
This method “makes data theft stealthy and scalable,” and there is no limit to what or how much attackers can exfiltrate, Taler noted. “Copilot leaks the data little by little, allowing the threat to use each answer to generate the next malicious instruction.”
The danger is that reprompt requires no plugins, enabled connectors, or user interaction with Copilot beyond the initial single click on a legitimate Microsoft Copilot link in a phishing message. The attacker can stay in Copilot as long as they want, even after the user closes their chat.
All commands are delivered via the server after the initial prompt, so it’s almost impossible to determine what is being extracted just by inspecting that one prompt. “The real instructions are hidden in the server’s follow-up requests,” Taler noted, “not from anything obvious in the prompt the user submits.”
What devs and security teams should do now
As in usual security practice, enterprise users should always treat URLs and external inputs as untrusted, experts advised. Be cautious with links, be on the lookout for unusual behavior, and always pause to review pre-filled prompts.
“This attack, like many others, originates with a phishing email or text message, so all the usual best practices against phishing apply, including ‘don’t click on suspicious links,’” noted Henrique Teixeira, SVP of Strategy at Saviynt.
Phishing-resistant authentication should be implemented, not only during the initial use of a chatbot, but throughout the entire session, he emphasized. This would require developers to implement controls when first building apps and embedding copilots and chatbots, rather than adding controls later on.
End users should avoid using chatbots that are not authenticated and avoid risky behaviors such as acting on a sense of urgency (such as being encouraged to speedily completing a transaction), replying to unknown or potentially nefarious senders, or oversharing personal info, he noted.
“Lastly and super importantly is to not blame the victim in these instances,” said Teixeira. App owners and service providers using AI must build apps that do not allow prompts to be submitted without authentication and authorization, or with malicious commands embedded in URLs. “Service providers can include more prompt hygiene and basic identity security controls like continuous and adaptive authentication to make apps safer to employees and clients,” he said.
Further, design considering insider-level risk, says Varonis’ Taler. “Assume AI assistants operate with trusted context and access. Enforce least privilege, auditing, and anomaly detection accordingly.”
Ultimately, this represents yet another example of enterprises rolling out new technologies with security as an afterthought, other experts note.
“Seeing this story play out is like watching Wile E. Coyote and the Road Runner,” said David Shipley of Beauceron Security. “Once you know the gag, you know what’s going to happen. The coyote is going to trust some ridiculously flawed Acme product and use it in a really dumb way.”
In this case, that ‘product’ is LLM-based technologies that are simply allowed to perform any actions without restriction. The scary thing is there’s no way to secure it because LLMs are what Shipley described as “high speed idiots.”
“They can’t distinguish between content and instructions, and will blindly do what they’re told,” he said.
LLMs should be limited to chats in a browser, he asserted. Giving them access to anything more than that is a “disaster waiting to happen,” particularly if they’re going to be interacting with content that can be sent via e-mail, message, or through a website.
Using techniques such as applying least access privilege and zero trust to try to work around the fundamental insecurity of LLM agents “look brilliant until they backfire,” Shipley said. “All of this would be funny if it didn’t get organizations pwned.”
