Security researchers from Varonis demonstrated a single-click attack against Microsoft's Copilot AI that stole user data without further interaction. The exploit, named Reprompt, used a malicious URL to trigger a multistage data exfiltration process. It bypassed enterprise security controls and continued even after the user closed the chat window, highlighting a new vulnerability vector in AI assistants.

The attack leveraged indirect prompt injection, a known flaw where LLMs cannot distinguish between user instructions and untrusted data. Varonis researchers found that Microsoft's initial guardrails were insufficient because the malicious prompt instructed Copilot to repeat its requests. This allowed the second attempt to successfully access and send sensitive details like names and locations to an external server.

Microsoft patched the vulnerability after a private disclosure from Varonis. The exploit only affected Copilot Personal, leaving Microsoft 365 Copilot untouched. This incident demonstrates how AI security flaws differ from traditional software bugs. Future defenses will require better methods for isolating user prompts from data embedded in web requests, a challenge the entire industry is racing to solve.