Reprompt Attack and Microsoft Copilot Prompt Injection

Reprompt is a prompt injection chain that let researchers exfiltrate sensitive data from Microsoft Copilot Personal after a single click on a legitimate-looking Copilot link.
The core issue is trust confusion. The assistant treated untrusted instructions embedded in a URL and follow-on server responses as if they were user intent, then continued executing even after the chat UI was closed.

Microsoft addressed the issue, and researchers stated Microsoft 365 Copilot enterprise customers were not affected by this specific scenario.
The durable takeaway is bigger than one bug. Any AI assistant that blends user context, enterprise data, and tool execution creates a new attack surface where links and embedded content can become command channels.

What Reprompt changed about the risk model

Classic phishing steals credentials, drops malware, or tricks a user into sending data. Reprompt operationalized a different pattern: the link itself becomes the prompt, the assistant becomes the operator, and the exfiltration path can be invisible to the user.

This matters because enterprise controls often assume a human is the decision point. When an assistant can act inside an authenticated session, the security boundary shifts from user behavior to model behavior and the policy enforcement around it.

How the Reprompt chain worked

1) Parameter-to-prompt injection via the q URL parameter

Researchers showed Copilot could accept a prompt from the q parameter in a URL and execute it on page load.
That turns a click into an implicit prompt submission, which collapses the time defenders normally have to detect and stop a user-driven action.

2) Guardrail bypass via double-request behavior

Researchers described a technique where protections applied strongly to the first request, then weakened on subsequent repeated actions. The chain instructed Copilot to perform tasks twice to slip past data-leak safeguards.

3) Chain-request control from an attacker server

After the first execution, the assistant was pushed into a back-and-forth loop where it fetched follow-on instructions from an attacker-controlled server, enabling continuous and dynamic data exfiltration.
Because the real instructions arrive later, inspecting only the initial link or first prompt is insufficient for determining what data is being pulled.

4) Persistence after the chat UI was closed

Reports emphasized the session context could be abused even after the user closed the Copilot chat, making the activity feel non-existent from the user perspective.

Practical impact for organizations

Even with this specific issue patched, the Reprompt pattern is a warning flare for any environment rolling out AI assistants broadly.

High-risk outcomes to plan for

Sensitive data disclosure from conversation history, summaries of recent activity, and other account-adjacent context that users casually share with assistants

Security monitoring blind spots when the malicious intent is delivered through chained prompts and remote instructions rather than an obvious user-entered prompt

Governance failure modes where consumer AI experiences live alongside corporate identities, browsers, extensions, and unmanaged link-click behavior

Patch status
Microsoft resolved the underlying issue, and multiple reports tie remediation to Microsoft’s January 2026 updates, with no public reporting of in-the-wild exploitation at the time of coverage.

InfoSight perspective on reducing AI assistant blast radius

AI assistant security fails when controls focus on one prompt at a time while attackers chain behavior across multiple turns, multiple requests, and multiple tools. Reprompt explicitly exploited that gap.

InfoSight’s stance is simple: treat AI assistants as privileged software handling sensitive workflows, not as a productivity widget.

Control objectives that hold up against prompt-injection chains

1) Constrain identity and session context

Separate consumer and corporate contexts where possible, enforce managed browser and managed identity flows, reduce persistence of long-lived sessions that can be abused after UI closure

2) Reduce what the assistant can see by default

Minimize accessible data sources, scope retrieval to least privilege, segment access to high-sensitivity repositories, avoid broad “all files” style reach

3) Enforce data protection at the platform layer

Use tenant-level controls such as auditing and DLP where available for the enterprise assistant experience, then treat any assistant outside that control plane as higher risk

4) Treat deep links and prefilled prompts as untrusted input

Apply URL and link governance to AI entry points the same way high-risk OAuth consent and attachment types are governed

Block or detonate suspicious link patterns and restrict assistant launch vectors that auto-execute prompts

5) Instrument assistant activity like an application

Centralize logs, correlate link-click events to assistant actions, alert on anomalous repeated requests, unusual outbound fetch behavior, or high-entropy exfil patterns

6) Validate guardrails with adversarial testing

Run prompt-injection testing and chain-request simulations as part of security assessments, then re-test after vendor updates and feature changes

Where InfoSight fits operationally

Security assessments and configuration hardening for M365 and identity controls that govern assistant access paths

Detection and response alignment so assistant-triggered data access and exfil attempts land in the same monitoring and escalation pipeline as other high-severity identity-driven events

Continuous exposure management to reduce adjacent weaknesses that make one-click chains more likely to succeed, including browser exposure, endpoint configuration drift, and identity control gaps

Bottom line

Reprompt is not primarily an AI novelty. It is a link-triggered command channel that exploited trust boundaries between URL input, model behavior, session context, and guardrail enforcement. The fix matters, but the pattern persists across assistants, browsers, and agentic workflows.

Source