CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Reprompt Attack Exploits Microsoft Copilot Session Hijacking

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Researchers discovered the Reprompt attack, which allows hackers to hijack Microsoft Copilot sessions by embedding malicious prompts in URLs. This attack bypasses Copilot's protections, enabling data exfiltration without user interaction beyond an initial click. The attack leverages three techniques: Parameter-to-Prompt (P2P) injection, double-request, and chain-request methods. The attack starts with the exploitation of the 'q' parameter, which is used on AI platforms to deliver a user's query or prompt via a URL. The attack resulted in one-click compromise and persisted after the chat was closed. Microsoft addressed the issue in January 2026's Patch Tuesday update, and the attack does not affect enterprise customers using Microsoft 365 Copilot. The Reprompt attack can exfiltrate sensitive data from AI chatbots like Microsoft Copilot in a single click, maintaining control even when the Copilot chat is closed. The attack uses the 'q' URL parameter in Copilot to inject a crafted instruction directly from a URL, instructs Copilot to bypass guardrails by repeating each action twice, and triggers an ongoing chain of requests through the initial prompt for continuous data exfiltration. The attack can exfiltrate data such as user-accessed files, location, and vacation plans, turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors. The root cause of Reprompt is the AI system's inability to delineate between instructions directly entered by a user and those sent in a request. The server can request information based on earlier responses, probing for even more sensitive details, with the real instructions hidden in the server's follow-up requests.

Timeline

  1. 14.01.2026 16:00 3 articles · 1d ago

    Reprompt Attack Disclosed and Patched by Microsoft

    Researchers identified the Reprompt attack method, which allows hackers to hijack Microsoft Copilot sessions by embedding malicious prompts in URLs. The attack leverages three techniques: P2P injection, double-request, and chain-request methods. The attack starts with the exploitation of the 'q' parameter, which is used on AI platforms to deliver a user's query or prompt via a URL. The attack resulted in one-click compromise and persisted after the chat was closed. Microsoft addressed the issue in January 2026's Patch Tuesday update, and the attack does not affect enterprise customers using Microsoft 365 Copilot. The Reprompt attack can exfiltrate sensitive data from AI chatbots like Microsoft Copilot in a single click, maintaining control even when the Copilot chat is closed. The attack uses the 'q' URL parameter in Copilot to inject a crafted instruction directly from a URL, instructs Copilot to bypass guardrails by repeating each action twice, and triggers an ongoing chain of requests through the initial prompt for continuous data exfiltration. The attack can exfiltrate data such as user-accessed files, location, and vacation plans, turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors. The root cause of Reprompt is the AI system's inability to delineate between instructions directly entered by a user and those sent in a request. The server can request information based on earlier responses, probing for even more sensitive details, with the real instructions hidden in the server's follow-up requests.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ServiceNow Now Assist AI Agents Vulnerable to Second-Order Prompt Injection

ServiceNow's Now Assist AI platform has been found vulnerable to second-order prompt injection attacks due to default configurations that allow agent-to-agent collaboration. Malicious actors can exploit these settings to perform unauthorized actions, such as data exfiltration, record modification, and privilege escalation, without user awareness. ServiceNow has acknowledged the behavior, emphasizing it is intended, and updated its documentation to clarify the risks. Additionally, ServiceNow has patched a critical security flaw (CVE-2025-12420) that could enable unauthenticated user impersonation, addressing the issue with security updates deployed to hosted instances and provided to partners and self-hosted customers on October 30, 2025.

Open in new tab

Indirect Prompt Injection Vulnerabilities in ChatGPT Models

Researchers from Tenable discovered seven vulnerabilities in OpenAI's ChatGPT models (GPT-4o and GPT-5) that enable attackers to extract personal information from users' memories and chat histories. These vulnerabilities allow for indirect prompt injection attacks, which manipulate the AI's behavior to execute unintended or malicious actions. OpenAI has addressed some of these issues, but several vulnerabilities persist. The vulnerabilities include indirect prompt injection via trusted sites, zero-click indirect prompt injection in search contexts, and prompt injection via crafted links. Other techniques involve bypassing safety mechanisms, injecting malicious content into conversations, hiding malicious prompts, and poisoning user memories. The vulnerabilities affect the 'bio' feature, which allows ChatGPT to remember user details and preferences across chat sessions, and the 'open_url' command-line function, which leverages SearchGPT to access and render website content. Attackers can exploit the 'url_safe' endpoint by using Bing click-tracking URLs to lure users to phishing sites or exfiltrate user data. These findings highlight the risks associated with exposing AI chatbots to external tools and systems, which expand the attack surface for threat actors. The vulnerabilities stem from how ChatGPT ingests and processes instructions from external sources, allowing attackers to exploit these flaws through various methods. The most concerning issue is a zero-click vulnerability, where simply asking ChatGPT a benign question can trigger an attack if the search results include a poisoned website.

Open in new tab

Atroposia malware-as-a-service platform discovered

A new malware-as-a-service (MaaS) platform named Atroposia offers cybercriminals a remote access trojan (RAT) with capabilities for persistent access, evasion, data theft, and local vulnerability scanning. The malware is available for a $200 monthly subscription and includes advanced features such as hidden remote desktop, file system control, data exfiltration, clipboard theft, credential theft, cryptocurrency wallet theft, and DNS hijacking. Atroposia was first identified by researchers at Varonis on October 15, 2025, and has been observed being promoted on underground forums. The platform includes modules for hidden remote desktop sessions, file management, data exfiltration, credential theft, clipboard monitoring, DNS hijacking, and local vulnerability scanning. The vulnerability scanner audits missing patches, unsafe settings, and vulnerable software, allowing attackers to prioritize exploits. The platform can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit. SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, while MatrixPDF weaponizes ordinary PDF files to bypass email filters. Atroposia uses encrypted command and control (C2) servers to foil traffic inspection and automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

Open in new tab