A new Reprompt attack lets hackers pull data from Microsoft Copilot with a single click. Disclosed by Varonis researchers, the exploit uses a URL parameter to inject malicious prompts. Enterprise teams scramble to assess risk while Microsoft patches the vector and moves on in the enterprise environment today daily.

The trick hinges on Copilot’s design: it accepts URL‑based instructions, keeps context after a session ends, and follows user requests to the letter. Guardrails only trigger on the first request, so repeating the action lets the AI quietly exfiltrate calendars, files, and location data without user interaction today.

Security vendors rush to market AI‑specific detection tools, while compliance frameworks add new checkboxes for prompt‑injection risk. Yet every mitigation that blocks URL parameters or persistent context would cripple legitimate automation and conversational flow. The core issue remains: intelligence and safety are fundamentally at odds in AI architectures.

What follows is a hard choice for enterprises: accept a new class of risk or limit AI’s reach. Experts advise segmenting data access, monitoring for anomalous repeat prompts, and explicitly weighing business value against potential compromise. The Reprompt case signals that secure AI may be an illusion today.