AI assistants like Microsoft Copilot are incredibly helpful, but they can also have vulnerabilities. Researchers at Varonis Threat Labs recently uncovered a simple yet dangerous attack method that can turn these tools into data leaks. The attack, called ‘Reprompt,’ involves just one click to start a chain of events that can secretly exfiltrate sensitive information. This highlights how even trusted AI tools can be exploited if not properly secured.

How the Reprompt Attack Works

The attack hinges on three main techniques that bypass security measures and enable data theft. First, it uses a method called parameter injection, where a malicious prompt is embedded directly into a URL. Specifically, it exploits the default ‘q’ URL parameter, which is normally used to improve user experience by pre-filling questions or commands. Attackers craft URLs that include their malicious prompts, which then auto-populate in the AI interface.

Next, the attackers employ a double request tactic. Since Copilot only checks for malicious content in the first prompt, subsequent requests can slip through unnoticed. For example, an attacker might ask Copilot to fetch a URL containing a secret phrase, then repeat the request. The first attempt might not reveal the secret, but the second often does, allowing the attacker to capture sensitive data. This double request technique helps evade initial security checks.

How the Chain-Request Facilitates Data Exfiltration

The third step involves chain requests, where the attacker’s server sends follow-up instructions to continue the conversation with Copilot. This tricks the AI into repeatedly revealing information, such as conversation history or sensitive files. Attackers can craft prompts asking for summaries of user activity, personal details, or upcoming plans. Because the process is automatic and ongoing, it becomes a scalable way to steal large amounts of data stealthily.

What makes this attack particularly dangerous is that it requires no plugins or special connectors. The victim only needs to click a legitimate-looking link in a phishing message. Once clicked, the attacker can stay in the AI environment as long as they want, even after the user closes the chat window. All commands are processed server-side, making detection difficult and allowing the attacker to extract data gradually without raising suspicion.

Microsoft has already released a patch after being alerted to the flaw. Still, the discovery serves as a reminder that AI tools, while powerful, need strong security measures. As AI assistants become more embedded in daily workflows, understanding and mitigating these risks is crucial for organizations and users alike.

Inspired by

• https://www.computerworld.com/article/4117750/one-click-is-all-it-takes-how-reprompt-turned-microsoft-copilot-into-a-data-exfiltration-tool.html

Sources

• csoonline.com
• varonis.com
• varonis.com
• beauceronsecurity.com
• csoonline.com