Security researchers have recently uncovered a striking vulnerability in Microsoft Copilot Personal that could have enabled attackers to quietly hijack users’ AI sessions and steal sensitive information — all with a single click. The flaw, dubbed the Reprompt attack, highlights a new class of threat where attackers exploit how AI assistants handle prompts and authenticated sessions.

At a high level, the Reprompt attack took advantage of the fact that active Copilot sessions remain valid for some time, even after a user closes the browser tab. That meant a malicious link could piggy-back on the user’s active session and issue commands to Copilot without further interaction. A carefully crafted phishing link containing a hidden malicious prompt would automatically execute when opened, tricking Copilot into running instructions the attacker embedded in the URL itself.

Researchers at Varonis Threat Labs, who discovered the issue, explained that the exploit worked through a combination of techniques. The first was Parameter-to-Prompt (P2P) injection, in which attackers embed malicious instructions directly into the q parameter of a Copilot URL. When the user clicked the link, Copilot would automatically interpret the injected text as a legitimate prompt, effectively giving the attacker control of the conversation.

From there, the attack could escalate. Copilot includes certain built-in safeguards designed to prevent sensitive data leakage, but Varonis found that these protections only applied to the initial request. By using a double-request technique, attackers could ask Copilot to repeat or rephrase actions in a way that bypassed those first-response defenses, allowing data that was initially blocked to be exposed on subsequent interactions.

Varonis also described a chain-request technique, where the attacker’s own server sends sequential prompts based on Copilot’s responses, maintaining a back-and-forth exchange that keeps the malicious session alive. This enabled a stealthy, ongoing exfiltration of data without any additional clicks from the victim.

If exploited successfully, the Reprompt attack could expose a broad range of personal data. Researchers warned that attackers could extract information such as personal Copilot history, summaries of files accessed, location or device details, and fragments of conversations or context the AI had seen. Because the attacker-driven prompts operate invisibly, none of this would necessarily be obvious to the user.

Microsoft was notified of the vulnerability in August 2025, and as of January 13, 2026, the company has patched the flaw through its regular Patch Tuesday updates. According to reporting on the issue, the exploit was fixed before there were any confirmed reports of widespread real-world attacks, meaning users who have updated their systems should now be safe from this specific vulnerability.

It’s also worth noting that this issue was specific to Copilot Personal — the consumer-focused version of Copilot used with Windows, Edge, and other consumer apps. Enterprise users of Microsoft 365 Copilot, which includes additional admin controls, auditing, and data loss prevention capabilities, were not believed to be affected in the same way.

Still, the Reprompt incident serves as a wake-up call about the security challenges that arise as AI assistants become more deeply woven into our digital lives. Simple phishing links can no longer be dismissed as low-risk, especially when they target systems that access sensitive data and operate with authenticated sessions.