AI assistants rarely signal compromise. They accept a single click as consent, turn a URL parameter into an instruction, repeat the request to slip past guardrails, and quietly chain follow‑ups that exfiltrate your data while the chat looks normal.

Overview

Reprompt is a novel attack that allows an adversary to bypass built-in AI safeguards and silently exfiltrate user data with a single click on a legitimate link. Once executed, the attacker can maintain control of the victim’s Copilot session and execute follow-on instructions without further interaction.  

• Invisible compromise: A threat actor requires only a single click on a crafted Microsoft Copilot link to initiate the exploit.  
• Safety bypass: The attack circumvents Copilot’s built-in guardrails, enabling actions not intended by the user.  
• Stealthy data exfiltration: Follow-up instructions originate from the attacker’s server post-initial click, making detection difficult with client-side tools.  
• Broad scope of access: Attackers can query sensitive information such as file summaries, personal details, or user behavior.  

The vulnerability has been patched, and Microsoft 365 Copilot enterprise users are reportedly not impacted.

How the Attack Happened?

Attack Propagation: Through the AI Kill Chain

Reprompt didn't exploit a single flaw. It traveled — methodically, invisibly — through amost of the ten stages of the AI Kill Chain, with the victim never typing a word.

It entered at Stage 1 (AI Recon) through systematic surface discovery: the attacker mapped Copilot's q URL parameter behavior and probed safety boundaries before the victim ever saw the link.

At Stage 3 (Instruction and Weaponization), Direct Prompt Injection and Instruction Smuggling hid a full attack payload inside URL syntax no ordinary user would inspect. Stage 4 (Reasoning and Execution) delivered Policy Shadowing and Goal Substitution — Copilot's own compliance logic was turned against its guardrails by instructing it to repeat each blocked action twice.

The middle stages compounded the damage. Credential Overreach via AI at Stage 6 required no stolen tokens — the attacker simply inherited the victim's full identity through the AI.

At Stage 8 (Persistence), the attack survived the closed chat window — cached context continued leaking data across sessions the user believed were clean. Stage 9 (AI C&C) transformed the attacker's server into a live command center: follow-up instructions arrived after the initial prompt, invisible to client-side monitoring. Stage 10 delivered the objective — files, emails, identity, and organizational data exfiltrated at scale through Data Exfiltration via AI, with the attacker never directly touching the victim's environment.

How Reprompt Works

Reprompt exploits default AI assistant behaviors through three core techniques:  

1. Parameter-to-Prompt Injection (P2P)
   • Utilizes the “q” URL parameter to inject prompts directly via the link.
   • When Copilot loads, it executes the injected instruction as if entered by the user.
   • This vector requires no plugins and no explicit user interaction beyond the click.  
2. Double-Request Method
   • Safeguards apply only to the initial AI request.
   • The attacker instructs Copilot to repeat actions twice, enabling sensitive operations (like URL fetches) on the second request.
   • Circumvents safety filters designed to block direct data leaks.  
3. Chain-Request Technique
   • After initiating the attack, the attacker’s server sends dynamic instructions based on previous responses.
   • This creates an ongoing back-and-forth communication loop that continuously exfiltrates sensitive information.
   • The real intent is obscured from defenders because subsequent commands never appear in the original prompt.

Unique Attributes vs. Other AI Vulnerabilities

• No user prompts required: Unlike prompt injection or jailbreak techniques, Reprompt doesn’t depend on user-typed instructions.  
• Stealthy & scalable: Extracted data can feed follow-on requests for deeper access without detection.  
• Guardrail blind spots: Existing safety mechanisms only inspect initial requests, not chained server-driven flows.  

Threat Impact

If exploited successfully:

• Sensitive corporate or personal data exfiltrates silently.
• Traditional monitoring may not detect the breach.
• User sessions remain compromised even after closing AI tools.
• Attackers can iteratively probe for more information based on response context.  

Mitigation and Prevention

For AI Vendors

• Treat all external input as untrusted. Don’t rely on URL parameters or deep-linked prompts without strict validation.  
• Extend safeguards across entire interaction chains. Ensure security controls cover all request cycles, not just the initial one.  
• Adopt least-privilege models. Assume AI assistants operate with significant access; enforce strict access controls.  

For Users (especially personal Copilot users)

• Be cautious with AI tool links. Only click links from verified sources.  
• Monitor unusual AI behavior. Stop sessions that request sensitive data unexpectedly.  
• Review pre-filled prompts carefully. Inspect any automatically populated prompt before execution.  

Indicators of Compromise (IoCs)

Potential signs Reprompt may have been triggered include:

• Unexpected AI queries for personal or corporate data.
• AI interactions continuing in the background after the tool’s UI is closed.
• Unusual outbound connections from AI services to unrecognized domains.

Specific IoCs may vary by environment and detection tooling.

Industry Context

• Mitre Atlas: AML.T0051, AML.T0043, AML.T0040, AML.T0054, AML.T0096
• OWASP Top 10 for Agentic Applications: ASI01, ASI03, ASI05, ASI06
• OWASP Top 10 for LLM: LLM01, LLM02, LLM06

‍