A new attack technique called Reprompt allows malicious actors to hijack active Microsoft Copilot sessions and trick the AI into leaking sensitive user data, according to researchers at Malwarebytes and independent security analysts.

Discovered in mid-January 2026, the attack exploits Copilot’s conversational nature by sending repeated, crafted prompts that override previous context or force the AI to reveal confidential information from earlier interactions (emails, documents, code snippets, personal details). Unlike traditional phishing, Reprompt requires no malware installation — just a malicious link or shared prompt that the victim clicks while logged into Copilot.

How the Attack Works

1.Victim is actively using Copilot in Edge, Teams, or Bing.

2.Attacker sends a specially crafted link or prompt (via email, chat, social engineering).

3.Once clicked, Reprompt floods Copilot with adversarial inputs that confuse context windows.

4.Copilot begins regurgitating sensitive data from the session history — including attached files, conversation logs, or integrated Microsoft 365 content.

5.Attacker captures output via screenshot, logging, or secondary channel.

Source: Varonis Threat Labs, “Reprompt Attack Lets Attackers Steal Data from Microsoft Copilot,” January 14, 2026.
Original article.

Varonis confirmed proof-of-concept demos in controlled environments, showing Copilot leaking full email threads, OneNote pages, and even Azure resource keys when properly prompted.

Strong Parallels to Malicious AI Chrome Extensions

This attack closely mirrors the malicious AI productivity extensions campaign we reported on January 10, 2026, where over 900,000 Chrome users were infected by fake AI tools (impersonating productivity assistants) that stole chat histories, session tokens, and credentials.

Both attacks exploit:

• Trust in AI interfaces — users assume Copilot or AI extensions are safe because they’re from “Microsoft” or look legitimate.
• Context retention — AI models keep conversation history, making them rich targets for data exfiltration.
• Low barrier to entry — no need for traditional malware; just prompt engineering or a malicious extension.

In the extensions case, attackers stole chat logs from tools like ChatGPT, Claude, and Gemini. With Reprompt, the target is Microsoft’s own Copilot — showing that no major AI platform is immune.

Why This Matters in 2026

Microsoft Copilot adoption is surging in enterprises (integrated with M365, Teams, Power Platform). A single hijacked session can expose:

• Confidential business documents
• Azure credentials / resource IDs
• Internal chat logs containing PII or IP

This highlights how AI tools are becoming the new attack surface — just like browsers were in the 2010s.

Mitigation Steps for Users & Organizations

1. Never click unsolicited Copilot links or share sessions publicly.
2. Enable session isolation — use Incognito or separate browser profiles for Copilot.
3. Monitor Microsoft 365 audit logs for unusual Copilot activity (sign-ins, prompt volume).
4. Restrict Copilot access via Conditional Access policies in Entra ID (require compliant devices, block legacy auth).
5. Educate teams — treat AI chats like email: no sensitive data in prompts.
6. Check extensions — audit Chrome/Edge for unknown productivity tools (see our Jan 10 report on malicious AI extensions stealing chats).

Read our earlier coverage: Malicious AI Chrome Extensions Steal Chats – Over 900,000 Victims

Varonis Threat Labs uncovered a new attack flow, dubbed Reprompt, that gives threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection — all from one click. Tal, Dolev. ““Reprompt” Attack Lets Attackers Steal Data from Microsoft Copilot.” Varonis Blog, January 14, 2026.

Source and Full Details

Varonis analysis of the Reprompt technique