Cybersecurity researchers have revealed details of a new attack method called “Reprompt.” This attack technique could allow malicious attackers to steal sensitive data from artificial intelligence (AI) chatbots such as Microsoft Copilot with a single click, completely bypassing corporate security controls.
“It only takes one click on a legitimate Microsoft link to compromise a victim,” Varonis security researcher Dolev Taler said in a report released Wednesday. “Neither the plugin nor the user needs to interact with Copilot.”
“The attacker maintains control even when the Copilot chat is closed, allowing the victim’s session to be silently exfiltrated with no interaction after the first click.”
Following responsible disclosure, Microsoft has addressed the security issue. This attack does not affect enterprise customers using Microsoft 365 Copilot. Broadly speaking, Reprompt employs three techniques to achieve the data leakage chain.
Use the “q” URL parameter in Copilot to inject crafted instructions directly from the URL (e.g. “copilot.microsoft”)[.]com/?q=Hello”) Take advantage of the fact that data loss protection only applies to the first request and instruct Copilot to bypass guardrail designs that prevent direct data leakage by simply instructing it to repeat each action twice. Trigger a chain of continuous requests through the initial prompt, enabling continuous, covert, and dynamic data extraction via back-and-forth interactions between Copilot and the attacker’s server, e.g. If you get blocked, be sure to start over. ”
In a hypothetical attack scenario, an attacker could get a target to click on a legitimate Copilot link sent via email, initiating a series of actions that cause Copilot to perform a prompt smuggled in via the “q” parameter, after which the attacker could “re-prompt” the chatbot to retrieve and share additional information.
This may include prompts such as “Please summarize all files the user accessed today”, “Where does the user live?”, etc. or “What kind of vacation is he planning?” All subsequent commands come directly from the server, so you can’t figure out what data is being leaked just by inspecting the start prompt.
Reprompt effectively creates a security blind spot by turning Copilot into an invisible channel for data exfiltration without the need for user input prompts, plugins, or connectors.
Like other attacks targeting large language models, the root cause of Reprompt is the inability of AI systems to distinguish between instructions entered directly by the user and those sent in a request, opening the way to indirect prompt injection when parsing untrusted data.
“There is no limit to the amount or type of data that can be exfiltrated. Servers can request information based on previous responses,” Varonis said. “For example, if we detect that a victim works in a particular industry, we can investigate more sensitive details.”
“All commands are delivered by the server after the initial prompt, so it is not possible to determine what data is being leaked by simply inspecting the opening prompt. The actual instructions are hidden in the server’s follow-up requests.”
This disclosure coincides with the discovery of a wide range of adversarial techniques targeting AI-powered tools that bypass safeguards, some of which are triggered when users perform routine searches.
The vulnerability, known as ZombieAgent (a variant of ShadowLeak), exploits ChatGPT connections to third-party apps to turn indirect prompt injection into a zero-click attack, providing a list of pre-built URLs (one for each special token of letters, numbers, and spaces) to retrieve data. Turn chatbots into data extraction tools by sending them character by character, or allow attackers to gain persistence by injecting malicious instructions into memory. An attack technique known as Lies-in-the-Loop (LITL) exploits the trust users place in verification, prompting the execution of malicious code and turning Human-in-the-Loop (HITL) protections into attack vectors. This attack affects Anthropic Claude Code and Microsoft Copilot Chat in VS Code and is codenamed HITL Dialog Forging. The vulnerability, known as GeminiJack, affects Gemini Enterprise and allows attackers to obtain potentially sensitive corporate data by embedding hidden instructions in shared Google documents, calendar invites, or emails. Prompt injection risks impacting Perplexity’s Comet, which bypasses BrowseSafe, a technology explicitly designed to protect AI browsers from prompt injection attacks. A hardware vulnerability known as GATEBLEED allows an attacker with access to a server that uses machine learning (ML) accelerators to determine what data was used to train AI systems running on that server and to disclose other personal information by monitoring the timing of software-level functions executed on the hardware. Prompt injection attack vectors that exploit the sampling capabilities of the Model Context Protocol (MCP) to deplete AI compute quotas, consume resources for unauthorized or external workloads, enable invocation of hidden tools, and allow malicious MCP servers to inject persistent instructions, manipulate AI responses, and exfiltrate sensitive data. This attack relies on the implicit trust model associated with MCP sampling. A prompt injection vulnerability known as CellShock that affects Anthropic Claude for Excel can be exploited to output unsafe formulas that extract data from a user’s files through carefully crafted instructions hidden in an untrusted data source. A prompt injection vulnerability in Cursor and Amazon Bedrock could allow non-administrators to change budget controls and leak API tokens, effectively allowing attackers to secretly exfiltrate corporate budgets through social engineering attacks via malicious Cursor deep links. Various data leak vulnerabilities affecting Claude Cowork, Superhuman AI, IBM Bob, Notion AI, Hugging Face Chat, Google Antigravity, and Slack AI.
The findings highlight that rapid injection still poses ongoing risks and the need to deploy defense-in-depth to counter threats. We also recommend that you prevent sensitive tools from running with elevated privileges and limit agent access to business-critical information as necessary.
“As AI agents gain broader access to corporate data and the autonomy to act on instructions, the explosive radius of a single vulnerability grows exponentially,” Noma Security said. Organizations deploying AI systems with access to sensitive data must carefully consider trust boundaries, implement robust oversight, and stay informed of new AI security research.
Source link
