Reprompt Attack Let Hackers Hijack Microsoft Copilot Sessions

The rapid integration of large‑language‑model assistants like Microsoft Copilot into everyday operating systems expands the attack surface for threat actors. Unlike traditional software, these AI layers process natural‑language prompts in real time, often pulling user context from personal accounts. When a seemingly innocuous URL contains a crafted `q` parameter, the assistant can be coerced into executing hidden instructions, turning a benign click into a foothold for data theft. This shift underscores the necessity of treating AI prompt handling as a critical security vector.

Reprompt’s methodology exploits three intertwined techniques: parameter‑to‑prompt injection, a double‑request bypass that sidesteps initial data‑leak checks, and a chain‑request loop that feeds continuous commands from an attacker‑controlled server. Because the malicious payload is delivered after the first request, client‑side defenses that inspect only the initial URL miss the subsequent exfiltration traffic. The attack leverages the victim’s authenticated Copilot session, meaning no additional credentials are required, and it persists even after the browser tab closes. Such dynamics reveal gaps in runtime validation and the need for deeper telemetry that monitors instruction sequences rather than isolated calls.

For enterprises, the incident serves as a cautionary tale about the differing security postures between consumer‑grade and business‑grade AI services. While Microsoft 365 Copilot benefits from tenant‑level DLP, Purview auditing, and admin‑enforced restrictions, Copilot Personal lacked comparable safeguards until the recent patch. Organizations should enforce strict URL filtering, educate users about phishing links that appear to launch AI assistants, and prioritize timely deployment of security updates. As AI assistants become ubiquitous, a proactive, defense‑in‑depth approach will be essential to prevent similar prompt‑based exploits from emerging in the wild.