"By exploiting the 'q' URL parameter, an attacker can fill a prompt from a URL and inject crafted, malicious instructions that force Copilot to perform actions, including data exfiltration. While Copilot has safeguards that prevent direct data exfiltration or leaks, the team found that repeating a request for an action twice will force it to be performed. Once the initial prompt (repeated twice) is executed, the Reprompt attack chain server issues follow-up instructions and requests, such as demands for additional information."
"Reprompt impacts Microsoft Copilot Personal and, according to the team, "gives threat actors an invisible entry point to perform a data exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection -- all from one click.""
"No user interaction with Copilot or plugins is required for this attack to trigger. Instead, victims must click a link. After this single click, Reprompt can circumvent security controls by abusing the 'q' URL parameter to feed a prompt and malicious actions through to Copilot, potentially"
The Reprompt attack injects malicious prompts into Microsoft Copilot Personal by abusing the 'q' URL parameter so a URL can fill and control Copilot prompts. The method leverages a double-request behavior that forces Copilot to perform an action when a request is repeated, then uses a chain-request mechanism to issue follow-up commands demanding additional information. The attack requires only a single clicked link, needs no further Copilot or plugin interaction, and can bypass enterprise security controls to access and exfiltrate sensitive Copilot data without detection.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]