Why clicking the wrong Copilot link could put your data at risk

AI assistants are expected to marque beingness easier. Tools similar Microsoft Copilot tin assistance you constitute emails, summarize documents, and reply questions utilizing accusation from your ain account. But information researchers are present informing that a azygous atrocious nexus could softly crook that convenience into a privateness risk. 

A recently discovered onslaught method shows however attackers could hijack a Copilot league and siphon information without you seeing thing suspicious connected screen.

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.     

Because Copilot stays tied to your logged-in Microsoft account, attackers tin softly usage your progressive league to entree information successful the background. (Photo by Donato Fasano/Getty Images)

What researchers discovered astir Copilot links

ILLINOIS DHS DATA BREACH EXPOSES 700K RESIDENTS' RECORDS

Security researchers astatine Varonis uncovered a method they telephone "Reprompt." In elemental terms, it shows however attackers could sneak instructions into a normal-looking Copilot nexus and marque the AI bash things connected their behalf.

Here's the portion that matters to you. Microsoft Copilot is connected to your Microsoft account. Depending connected however you usage it, Copilot tin spot your past conversations, things you've asked it and definite idiosyncratic information tied to your account. Normally, Copilot has guardrails to forestall delicate accusation from leaking. Reprompt showed a mode astir immoderate of those protections.

The onslaught starts with conscionable 1 click. If you unfastened a specially crafted Copilot nexus sent done email oregon a message, Copilot tin automatically process hidden instructions embedded wrong the link. You don't request to instal anything, and determination are nary pop-ups oregon warnings. After that azygous click, Copilot tin support responding to instructions successful the inheritance utilizing your already logged-in session. Even closing the Copilot tab does not instantly halt the attack, due to the fact that the league stays progressive for a while.

How Reprompt works

Varonis recovered that Copilot accepts questions done a parameter wrong its web address. Attackers tin fell instructions wrong that code and marque Copilot execute them arsenic soon arsenic the leafage loads.

That unsocial would not beryllium enough, due to the fact that Copilot tries to artifact information leaks. The researchers combined respective tricks to get astir this. First, they injected instructions straight into Copilot done the nexus itself. This allowed Copilot to work accusation it usually shouldn't share.

Second, they utilized a "try twice" trick. Copilot applies stricter checks the archetypal clip it answers a request. By telling Copilot to repetition the enactment and double-check itself, the researchers recovered that those protections could neglect connected the 2nd attempt.

Third, they showed that Copilot could support receiving follow-up instructions from a distant server controlled by the attacker. Each effect from Copilot helped make the adjacent request, allowing information to beryllium softly sent retired portion by piece. The effect is an invisible back-and-forth wherever Copilot keeps moving for the attacker utilizing your session. From your perspective, thing looks wrong.

MICROSOFT SOUNDS ALARM AS HACKERS TURN TEAMS PLATFORM INTO 'REAL-WORLD DANGERS' FOR USERS

Varonis responsibly reported the contented to Microsoft, and the institution fixed it successful the January 2026 Patch Tuesday updates. There is nary grounds that Reprompt was utilized successful real-world attacks earlier the fix. Still, this probe is important due to the fact that it shows a bigger problem. AI assistants person access, representation and the quality to enactment connected your behalf. That operation makes them powerful, but besides risky if protections fail. As researchers enactment it, the information increases erstwhile autonomy and entree travel together.

It's besides worthy noting that this contented lone affected Copilot Personal. Microsoft 365 Copilot, which businesses use, has other information layers similar auditing, information nonaccomplishment prevention and admin controls.

"We admit Varonis Threat Labs for responsibly reporting this issue," a Microsoft spokesperson told CyberGuy. "We person rolled retired protections that code the script described and are implementing further measures to fortify safeguards against akin techniques arsenic portion of our defense-in-depth approach."

8 steps you tin instrumentality to enactment harmless from AI attacks

Even with the hole successful place, these habits volition assistance support your information arsenic AI tools go much common.

1) Install Windows and browser updates immediately

Security fixes lone support you if they're installed. Attacks similar Reprompt trust connected flaws that already person patches available. Turn connected automatic updates for Windows, Edge, and different browsers truthful you don't hold captious fixes. Waiting weeks oregon months leaves a model wherever attackers tin inactive exploit known weaknesses.

2) Treat Copilot and AI links similar login links

If you wouldn't click a random password reset link, don't click unexpected Copilot links either. Even links that look authoritative tin beryllium weaponized. If idiosyncratic sends you a Copilot link, intermission and inquire yourself whether you were expecting it. When successful doubt, unfastened Copilot manually instead.

Even aft Microsoft fixed the flaw, the probe highlights wherefore limiting information vulnerability and monitoring relationship enactment inactive matters arsenic AI tools evolve. (Photographer: Prakash Singh/Bloomberg via Getty Images)

3) Use a password manager to support your accounts

A password manager creates and stores strong, unsocial passwords for each work you use. If attackers negociate to entree league information oregon bargain credentials indirectly, unsocial passwords forestall 1 breach from unlocking your full integer life. Many password managers besides pass you if a tract looks suspicious oregon fake.

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2026 astatine Cyberguy.com.

4) Enable two-factor authentication connected your Microsoft account

Two-factor authentication (2FA) adds a 2nd furniture of protection, adjacent if attackers summation partial entree to your session. It forces an other verification step, usually done an app oregon device, making it overmuch harder for idiosyncratic other to enactment arsenic you wrong Copilot oregon different Microsoft services.

5) Reduce however overmuch idiosyncratic information exists online

Data broker sites cod and resell idiosyncratic details similar your email address, telephone number, location code and adjacent enactment history. If an AI instrumentality oregon relationship league is abused, that publically disposable information tin marque the harm worse. Using a data-removal work helps delete this accusation from broker databases, shrinking your integer footprint and limiting what attackers tin portion together.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

6) Run beardown antivirus bundle connected your device

Modern antivirus tools bash much than scan files. They assistance observe phishing links, malicious scripts and suspicious behaviour tied to browser activity. Since Reprompt-style attacks commencement with a azygous click, having real-time extortion tin halt you earlier harm happens, particularly erstwhile attacks look legitimate.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

7) Regularly reappraisal your relationship enactment and settings

Check your Microsoft relationship enactment for unfamiliar logins, locations, oregon actions. Review what services Copilot tin access, and revoke thing you nary longer need. These checks don't instrumentality long, but they tin uncover issues early, earlier attackers person clip to bash superior damage. Here's how:

Go to account.microsoft.com and motion successful to your Microsoft account.

Select Security, past take View my sign-in activity and verify your individuality if prompted.

Review each login for unfamiliar locations, devices, oregon failed sign-in attempts.

If you spot thing suspicious, prime This wasn't me oregon Secure your account, past change your password immediately and alteration two-step verification.

Visit account.microsoft.com/devices and region immoderate devices you nary longer admit oregon use.

In Microsoft Edge, unfastened Settings > Appearance > Copilot and Sidebar > Copilot and crook disconnected Allow Microsoft to entree leafage content if you privation to bounds Copilot's access.

Review apps connected to your Microsoft relationship and revoke permissions you nary longer need.

A azygous Copilot nexus tin transportation hidden instructions that tally the infinitesimal you click, without immoderate informing oregon pop-ups.  (iStock)

8) Be circumstantial astir what you inquire AI tools to do

Avoid giving AI assistants wide authorization similar "handle immoderate is needed." Wide permissions marque it easier for hidden instructions to power outcomes. Keep requests constrictive and task-focused. The little state an AI has, the harder it is for malicious prompts to steer it silently.

Kurt's cardinal takeaway

Reprompt doesn't mean Copilot is unsafe to use, but it does amusement however overmuch spot these tools require. When an AI adjunct tin think, retrieve and enactment for you, adjacent a azygous atrocious click tin matter. Keeping your strategy updated and being selective astir what you click remains conscionable arsenic important successful the property of AI arsenic it was before.

Do you consciousness comfy letting AI assistants entree your idiosyncratic data, oregon does this marque you much cautious? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.