Varonis Threat Labs uncovered a new attack flow, dubbed Reprompt, that gives threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection — all from one click.
First discovered in Microsoft Copilot Personal, Reprompt is important for multiple reasons:
- Only a single click on a legitimate Microsoft link is required to compromise victims. No plugins, no user interaction with Copilot.
- The attacker maintains control even when the Copilot chat is closed, allowing the victim's session to be silently exfiltrated with no interaction beyond that first click.
- The attack bypasses Copilot's built-in mechanisms that were designed to prevent this.
- All commands are delivered from the server after the initial prompt, making it impossible to determine what data is being exfiltrated just by inspecting the starting prompt. Client-side tools can't detect data exfiltration as a result.
- The attacker can ask for a wide array of information such as "Summarize all of the files that the user accessed today," "Where does the user live?" or "What vacations does he have planned?"
- Reprompt is fundamentally different from AI vulnerabilities such as EchoLeak, in that it requires no user input prompts, installed plugins, or enabled connectors.
Microsoft has confirmed the issue has been patched as of today's date, helping prevent future exploitation and emphasizing the need for continuous cybersecurity vigilance. Enterprise customers using Microsoft 365 Copilot are not affected.
This is just absolutely crazy to me. Even if they fixed it: how many of such holes exist, that the public / company's don't know about? LLM's are not designed with security in mind and adding budget pressure / cut corners (which are most definitely present at such projects) are not helping.
Thanks, good point! But lets be real honest: