Why clicking the wrong Copilot link could put your data at risk

AI assistants are supposed to make life easier. Tools like Microsoft Copilot can help you write emails, summarize documents, and answer questions using information from your own account. But security researchers are now warning that a single bad link could quietly turn that convenience into a privacy risk. 

A newly discovered attack method shows how attackers could hijack a Copilot session and siphon data without you seeing anything suspicious on screen.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.     

ILLINOIS DHS DATA BREACH EXPOSES 700K RESIDENTS' RECORDS

Security researchers at Varonis uncovered a technique they call "Reprompt." In simple terms, it shows how attackers could sneak instructions into a normal-looking Copilot link and make the AI do things on their behalf.

Here's the part that matters to you. Microsoft Copilot is connected to your Microsoft account. Depending on how you use it, Copilot can see your past conversations, things you've asked it and certain personal data tied to your account. Normally, Copilot has guardrails to prevent sensitive information from leaking. Reprompt showed a way around some of those protections.

The attack starts with just one click. If you open a specially crafted Copilot link sent through email or a message, Copilot can automatically process hidden instructions embedded inside the link. You don't need to install anything, and there are no pop-ups or warnings. After that single click, Copilot can keep responding to instructions in the background using your already logged-in session. Even closing the Copilot tab does not immediately stop the attack, because the session stays active for a while.

Varonis found that Copilot accepts questions through a parameter inside its web address. Attackers can hide instructions inside that address and make Copilot execute them as soon as the page loads.

That alone would not be enough, because Copilot tries to block data leaks. The researchers combined several tricks to get around this. First, they injected instructions directly into Copilot through the link itself. This allowed Copilot to read information it normally shouldn't share.

Second, they used a "try twice" trick. Copilot applies stricter checks the first time it answers a request. By telling Copilot to repeat the action and double-check itself, the researchers found that those protections could fail on the second attempt.

Third, they showed that Copilot could keep receiving follow-up instructions from a remote server controlled by the attacker. Each response from Copilot helped generate the next request, allowing data to be quietly sent out piece by piece. The result is an invisible back-and-forth where Copilot keeps working for the attacker using your session. From your perspective, nothing looks wrong.

MICROSOFT SOUNDS ALARM AS HACKERS TURN TEAMS PLATFORM INTO 'REAL-WORLD DANGERS' FOR USERS

Varonis responsibly reported the issue to Microsoft, and the company fixed it in the January 2026 Patch Tuesday updates. There is no evidence that Reprompt was used in real-world attacks before the fix. Still, this research is important because it shows a bigger problem. AI assistants have access, memory and the ability to act on your behalf. That combination makes them powerful, but also risky if protections fail. As researchers put it, the danger increases when autonomy and access come together.

It's also worth noting that this issue only affected Copilot Personal. Microsoft 365 Copilot, which businesses use, has extra security layers like auditing, data loss prevention and admin controls.

"We appreciate Varonis Threat Labs for responsibly reporting this issue," a Microsoft spokesperson told CyberGuy. "We have rolled out protections that address the scenario described and are implementing additional measures to strengthen safeguards against similar techniques as part of our defense-in-depth approach."

Even with the fix in place, these habits will help protect your data as AI tools become more common.

Security fixes only protect you if they're installed. Attacks like Reprompt rely on flaws that already have patches available. Turn on automatic updates for Windows, Edge, and other browsers so you don't delay critical fixes. Waiting weeks or months leaves a window where attackers can still exploit known weaknesses.

If you wouldn't click a random password reset link, don't click unexpected Copilot links either. Even links that look official can be weaponized. If someone sends you a Copilot link, pause and ask yourself whether you were expecting it. When in doubt, open Copilot manually instead.

A password manager creates and stores strong, unique passwords for every service you use. If attackers manage to access session data or steal credentials indirectly, unique passwords prevent one breach from unlocking your entire digital life. Many password managers also warn you if a site looks suspicious or fake.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

Two-factor authentication (2FA) adds a second layer of protection, even if attackers gain partial access to your session. It forces an extra verification step, usually through an app or device, making it much harder for someone else to act as you inside Copilot or other Microsoft services.

5) Reduce how much personal data exists online

Data broker sites collect and resell personal details like your email address, phone number, home address and even work history. If an AI tool or account session is abused, that publicly available data can make the damage worse. Using a data-removal service helps delete this information from broker databases, shrinking your digital footprint and limiting what attackers can piece together.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Modern antivirus tools do more than scan files. They help detect phishing links, malicious scripts and suspicious behavior tied to browser activity. Since Reprompt-style attacks start with a single click, having real-time protection can stop you before damage happens, especially when attacks look legitimate.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

Check your Microsoft account activity for unfamiliar logins, locations, or actions. Review what services Copilot can access, and revoke anything you no longer need. These checks don't take long, but they can reveal issues early, before attackers have time to do serious damage. Here's how:

Go to account.microsoft.com and sign in to your Microsoft account.

Select Security, then choose View my sign-in activity and verify your identity if prompted.

Review each login for unfamiliar locations, devices, or failed sign-in attempts.

If you see anything suspicious, select This wasn't me or Secure your account, then change your password immediately and enable two-step verification.

Visit account.microsoft.com/devices and remove any devices you no longer recognize or use.

In Microsoft Edge, open Settings > Appearance > Copilot and Sidebar > Copilot and turn off Allow Microsoft to access page content if you want to limit Copilot's access.

Review apps connected to your Microsoft account and revoke permissions you no longer need.

Avoid giving AI assistants broad authority like "handle whatever is needed." Wide permissions make it easier for hidden instructions to influence outcomes. Keep requests narrow and task-focused. The less freedom an AI has, the harder it is for malicious prompts to steer it silently.

Reprompt doesn't mean Copilot is unsafe to use, but it does show how much trust these tools require. When an AI assistant can think, remember and act for you, even a single bad click can matter. Keeping your system updated and being selective about what you click remains just as important in the age of AI as it was before.

Do you feel comfortable letting AI assistants access your personal data, or does this make you more cautious? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.