TL;DR: Varonis Threat Labs disclosed on January 14, 2026, a vulnerability called "Reprompt" that let attackers steal personal data from Microsoft Copilot with a single click. The attacker sends a crafted link. The victim clicks it. Copilot silently starts dumping their files, location, conversations, and browsing history to the attacker's server: no plugins, no user interaction beyond that one click. Microsoft patched the flaw on January 13, 2026, in its January Patch Tuesday update. Only Copilot Personal (consumer accounts) was affected. Microsoft 365 Copilot enterprise users weren't hit. But this attack exposes a deeper problem: AI assistants that automatically process untrusted input are a data exfiltration goldmine.

What Happened

Security researcher Dolev Taler at Varonis found that Microsoft Copilot, the AI assistant baked into Windows and Edge, could be weaponized through its own URL parameters.[1]

Here's the short version: Copilot accepts a "q" parameter in its URL that pre-fills prompts. That's a feature. Visit copilot.microsoft.com/?q=Hello and Copilot greets you. Convenient for developers. Also convenient for attackers.

Taler discovered that by chaining three techniques together, an attacker could make Copilot execute hidden instructions, bypass its safety filters, and continuously exfiltrate personal data to an external server. All from one link click.[1]

"Only a single click on a legitimate Microsoft link is required to compromise victims," Taler said. "No plugins, no user interaction with Copilot."[1]

How Reprompt Works

The attack chains three techniques:

  1. Parameter-to-Prompt Injection: The attacker crafts a Copilot URL with malicious instructions encoded in the "q" parameter. When the victim clicks, Copilot executes those instructions immediately, like typing a command directly into the chat.[1]
  2. Double-Request Bypass: Copilot checks for suspicious content on the first request. Just the first. The Varonis team found that instructing Copilot to "perform each action twice" was enough to slip past the guardrails on the second pass. That's it. That's the bypass.[1]
  3. Chain-Request Exfiltration: Once past the filters, Copilot fetches new instructions from the attacker's server. Each instruction tells Copilot to grab a specific type of data (files you've accessed, your location, your schedule) and send it back, then fetch the next instruction. An automated loop that keeps running until it's harvested everything useful.[2]

The chain-request piece is what makes this nasty. Because the exfiltration commands come from the attacker's server after the initial click, client-side security tools can't see what data is being stolen just by inspecting the starting prompt.[1]

What Data Gets Stolen

Varonis demonstrated that an attacker could pull:[1]

  • Usernames and account details
  • Location information
  • Vacation schedules
  • File access history
  • Conversation summaries from Copilot chats
  • Browsing activity

"There's no limit to the amount or type of data that can be exfiltrated," the researchers noted. "The server can request information based on earlier responses."[2] Meaning: the attack adapts. It finds what you have and takes what's valuable.

Worse, the attack persisted even after the user closed the Copilot chat window. The exploit used session-level context rather than relying on the chat staying open, so the data theft could keep running quietly in the background.[1]

Who Was Affected

Microsoft Copilot Personal: the version tied to consumer Microsoft accounts and integrated into Windows and Edge. If you use a personal Microsoft account with Copilot, you were potentially vulnerable before January 13.[3]

Enterprise customers using Microsoft 365 Copilot were not affected.[3]

Microsoft said there's no evidence of in-the-wild exploitation, though given the stealth of the technique, that's a hard thing to confirm with certainty.[3]

What Microsoft Did

Varonis reported the vulnerability in August 2025. Microsoft patched it in the January 13, 2026, Patch Tuesday update.[3]

"We appreciate Varonis Threat Labs for responsibly reporting this issue," Microsoft said. "We have rolled out protections that address the scenario described and are implementing additional measures to strengthen safeguards against similar techniques."[3]

Five months from report to fix. Not blazing fast, but the disclosure was responsible and the patch arrived before the research went public.

The Real Problem Here

Reprompt isn't just a Copilot bug. It's a preview of what happens when AI assistants with access to your data can be tricked by untrusted input.

The root cause is simple: large language models can't reliably tell the difference between instructions from the user and instructions injected by an attacker. This is the prompt injection problem, and nobody has solved it yet.[1]

Every AI assistant that reads emails, browses the web, or processes documents on your behalf is a potential exfiltration channel. Google Gemini, ChatGPT, Apple Intelligence, Microsoft Copilot: they all face variations of this attack surface.

Varonis put it bluntly: Reprompt highlights a broader and growing risk tied to AI assistants that automatically process untrusted input.[1] The more access your AI assistant has, the more damage a prompt injection can do.

We're handing these tools the keys to our digital lives (our files, our calendars, our emails) and the security model for keeping attackers from turning those tools against us is still, charitably, a work in progress.

What To Do Right Now

Update Windows and Edge

Make sure your system has the January 2026 Patch Tuesday update installed. The Reprompt fix is included. Check Windows Update settings and Edge's version to confirm you're current.

Be Suspicious of Copilot Links

Don't click links that open Copilot with pre-filled prompts, especially from emails, messages, or unfamiliar websites. If a link points to copilot.microsoft.com with URL parameters, think twice.

Limit What Copilot Can Access

Review what data Copilot has access to in your Microsoft account settings. The less it can see, the less an attacker can steal through it.

Watch AI Assistants Closely

This won't be the last prompt injection attack. Any AI tool with access to your data is a potential attack vector. Use them with intention, not on autopilot.

References

  1. Varonis Threat Labs - Reprompt: The Single-Click Microsoft Copilot Attack that Silently Steals Your Personal Data (January 14, 2026)
  2. The Hacker News - Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot (January 2026)
  3. BleepingComputer - Reprompt Attack Hijacked Microsoft Copilot Sessions for Data Theft (January 2026)
  4. SecurityWeek - New 'Reprompt' Attack Silently Siphons Microsoft Copilot Data (January 2026)