The Single-Click Microsoft Copilot Attack
Published: Thursday, March 18th, 2026
AI assistants rarely signal compromise. They accept a single click as consent, turn a URL parameter into an instruction, repeat the request to slip past guardrails, and quietly chain follow‑ups that exfiltrate your data while the chat looks normal.
Overview
Microsoft Copilot is, by design, a good sport. It takes your queries, reasons over your files, and returns answers in the patient, even-tempered register of a very knowledgeable colleague who never seems to mind being interrupted. It reads URLs. It follows links. It does what it is asked.
The trouble, as researchers discovered, is that Copilot cannot always tell who is doing the asking.
The attack is called Reprompt, and its premise is almost insultingly simple. An adversary crafts a Microsoft Copilot link — the kind that looks, to any reasonable eye, like an ordinary share link — and tucks a full set of instructions into the URL's q parameter, the small query field Copilot uses to pre-populate a conversation. The victim clicks. Copilot loads. The injected payload executes as if the user typed it themselves. The attacker, at this point, has done everything they need to do.
They don't need to be in the room. They were never in the room.
How Did It Happen?
(Images)
Attack Propagation: Through the AI Kill Chain
Reprompt didn't exploit a single flaw. It traveled — methodically, invisibly — through all ten stages of the AI Kill Chain, with the victim never typing a word.
It entered at Stage 1 (AI Recon) through systematic surface discovery: the attacker mapped Copilot's q URL parameter behavior and probed safety boundaries before the victim ever saw the link.
At Stage 3 (Instruction and Weaponization), Direct Prompt Injection and Instruction Smuggling hid a full attack payload inside URL syntax no ordinary user would inspect. Stage 4 (Reasoning and Execution) delivered Policy Shadowing and Goal Substitution — Copilot's own compliance logic was turned against its guardrails by instructing it to repeat each blocked action twice.
The middle stages compounded the damage. Credential Overreach via AI at Stage 6 required no stolen tokens — the attacker simply inherited the victim's full identity through the AI.
At Stage 8 (Persistence), the attack survived the closed chat window — cached context continued leaking data across sessions the user believed were clean. Stage 9 (AI C&C) transformed the attacker's server into a live command center: follow-up instructions arrived after the initial prompt, invisible to client-side monitoring. Stage 10 delivered the objective — files, emails, identity, and organizational data exfiltrated at scale through Data Exfiltration via AI, with the attacker never directly touching the victim's environment.
How Reprompt Works
Reprompt is a novel attack that allows an adversary to bypass built-in AI safeguards and silently exfiltrate user data with a single click on a legitimate link. Once executed, the attacker can maintain control of the victim’s Copilot session and execute follow-on instructions without further interaction.
Invisible compromise: A threat actor requires only a single click on a crafted Microsoft Copilot link to initiate the exploit.
Safety bypass: The attack circumvents Copilot’s built-in guardrails, enabling actions not intended by the user.
Stealthy data exfiltration: Follow-up instructions originate from the attacker’s server post-initial click, making detection difficult with client-side tools.
Broad scope of access: Attackers can query sensitive information such as file summaries, personal details, or user behavior.
The vulnerability has been patched, and Microsoft 365 Copilot enterprise users are reportedly not impacted.
Reprompt exploits default AI assistant behaviors through three core techniques:
Parameter-to-Prompt Injection (P2P)
Utilizes the “q” URL parameter to inject prompts directly via the link.
When Copilot loads, it executes the injected instruction as if entered by the user.
This vector requires no plugins and no explicit user interaction beyond the click.
Double-Request Method
Safeguards apply only to the initial AI request.
The attacker instructs Copilot to repeat actions twice, enabling sensitive operations (like URL fetches) on the second request.
Circumvents safety filters designed to block direct data leaks.
Chain-Request Technique
After initiating the attack, the attacker’s server sends dynamic instructions based on previous responses.
This creates an ongoing back-and-forth communication loop that continuously exfiltrates sensitive information.
The real intent is obscured from defenders because subsequent commands never appear in the original prompt.
Unique Attributes vs. Other AI Vulnerabilities
No user prompts required: Unlike prompt injection or jailbreak techniques, Reprompt doesn’t depend on user-typed instructions.
Stealthy & scalable: Extracted data can feed follow-on requests for deeper access without detection.
Guardrail blind spots: Existing safety mechanisms only inspect initial requests, not chained server-driven flows.
Threat Impact
If exploited successfully:
Sensitive corporate or personal data exfiltrates silently.
Traditional monitoring may not detect the breach.
User sessions remain compromised even after closing AI tools.
Attackers can iteratively probe for more information based on response context.
Mitigation and Prevention
For AI Vendors
Treat all external input as untrusted. Don’t rely on URL parameters or deep-linked prompts without strict validation.
Extend safeguards across entire interaction chains. Ensure security controls cover all request cycles, not just the initial one.
Adopt least-privilege models. Assume AI assistants operate with significant access; enforce strict access controls.
For Users (especially personal Copilot users)
Be cautious with AI tool links. Only click links from verified sources.
Monitor unusual AI behavior. Stop sessions that request sensitive data unexpectedly.
Review pre-filled prompts carefully. Inspect any automatically populated prompt before execution.
Indicators of Compromise (IoCs)
Potential signs Reprompt may have been triggered include:
Unexpected AI queries for personal or corporate data.
AI interactions continuing in the background after the tool’s UI is closed.
Unusual outbound connections from AI services to unrecognized domains.
Specific IoCs may vary by environment and detection tooling.
Industry Context
OWASP Top 10 for Agentic Applications: ASI01, ASI03, ASI05, ASI06
OWASP Top 10 for LLM: LLM01, LLM02, LLM06
Resources
Last updated