Executive Summary

Researchers from HiddenLayer discovered a session hijacking vulnerability in the personal version of Microsoft Copilot, which they dubbed the "Reprompt" attack. The flaw allowed an attacker to craft a malicious URL that, when clicked by a victim, would inject hidden prompts into their active Copilot session. This bypassed initial prompt safety checks and enabled the attacker to execute commands within the user's authenticated context, potentially leading to data exfiltration. The vulnerability was based on the ability to chain commands via a server-controlled loop, hiding the malicious activity from the user. Microsoft has addressed this vulnerability in its January 2026 Patch Tuesday updates. There is no evidence of in-the-wild exploitation.

Vulnerability Details

The "Reprompt" attack exploited how Microsoft Copilot processed and handled prompts passed through URL parameters. The core of the vulnerability was that Copilot's security and data leakage protections were primarily focused on the user's initial prompt, but not on subsequent, programmatically generated prompts within the same session.

The attack worked as follows:

1. Malicious URL Creation: An attacker crafts a URL that directs to Copilot, embedding a malicious initial prompt within the q URL parameter.
2. Session Hijacking: A victim clicks the link. Copilot loads and automatically executes the hidden prompt from the URL within the victim's authenticated session.
3. Bypassing Defenses: The researchers found that instructing the AI to repeat actions twice could bypass some of its data exfiltration protections.
4. Chained Prompts: The most critical part of the attack was the ability to create a continuous loop. The initial hidden prompt could instruct Copilot to fetch instructions from an attacker-controlled server. Copilot would execute the instruction, send the result back to the server, and then receive the next instruction. This allowed the attacker to run a chain of commands, reacting to the output of previous ones, all without any further user interaction and while remaining invisible to the user on the client side.

This technique effectively turned the victim's browser into a proxy for the attacker to interact with the AI, using the victim's own account and data context.

Affected Systems

• Microsoft Copilot (Personal version)

The vulnerability did not affect the enterprise-grade Microsoft 365 Copilot, which is protected by more robust security controls like Microsoft Purview auditing and tenant-level Data Loss Prevention (DLP) policies.

Exploitation Status

There is no evidence that this vulnerability was exploited in the wild. The researchers at HiddenLayer responsibly disclosed the flaw to Microsoft, who subsequently developed and released a patch.

Impact Assessment

Had this vulnerability been exploited, it could have had significant privacy implications for users of the personal Copilot assistant. An attacker could have potentially:

• Exfiltrated Personal Data: Instructed Copilot to access and exfiltrate data from the user's connected Microsoft account, such as emails, documents, or calendar information, depending on Copilot's permissions.
• Performed Actions on Behalf of the User: Sent emails, created documents, or performed other actions available to the AI, all under the guise of the victim.
• Conducted Social Engineering: Used the hijacked session to interact with the user, presenting malicious information or links that appear to come from a trusted AI assistant.

The incident serves as a crucial case study in the emerging security challenges of Large Language Models (LLMs) and AI assistants, particularly around prompt injection and the processing of untrusted external input.

Cyber Observables for Detection

Detecting this specific attack post-patch is not relevant, but hunting for similar prompt injection techniques would involve:

Detection Methods

• URL Filtering and Analysis: Security solutions can be configured to inspect URLs for suspicious patterns, such as embedded scripts or excessively long, obfuscated parameters, especially those targeting AI platforms.
• Behavioral Anomaly Detection: For enterprise AI, monitoring user interaction patterns with the AI and alerting on significant deviations (e.g., a sudden high volume of complex queries from a user who normally has simple interactions) could indicate a hijacked session.

Remediation Steps

1. Apply Security Updates: All users of Microsoft products should ensure the January 2026 security updates are installed to patch this vulnerability. This is the primary and most effective remediation.
2. User Awareness: Users should be cautious about clicking links from untrusted sources, even if they appear to lead to legitimate websites like Copilot. Treat links to AI assistants with the same suspicion as any other link.
3. Enterprise Controls: Organizations using AI should opt for enterprise-grade solutions like Microsoft 365 Copilot, which provide superior security, auditing, and data governance features compared to personal consumer versions.