Skip to main content

The S-Unit

New attack surface: AI assistants silently leak data

Nieuw aanvalsoppervlak: AI-assistenten

One click is enough

Researchers have discovered a new attack technique: the Reprompt attack. This attack exploits the way AI assistants such as Microsoft Copilot handle user input via URLs. By using a specially crafted link containing hidden instructions, an attacker can make Copilot execute commands. According to security researcher Dolev Taler of Varonis, only a single user click is required. No further interaction is needed and the user remains completely unaware.

Abuse of URL input

How does this vulnerability arise? Copilot does not sufficiently distinguish certain input from URL parameters from legitimate user commands. As a result, an attacker can invisibly make the AI assistant execute new tasks. Even after the user has closed the Copilot interface, the attack can remain active. The hidden instructions are designed to collect and exfiltrate sensitive information from the ongoing session, such as contextual data and other available information. This is something you obviously want to prevent at all times.

Barely visible to users and security tools

The impact is significant, as the attack is barely visible to users and security systems. Traditional security measures, such as content filters and user confirmations, are effectively bypassed.

Patch available, risk remains relevant

Microsoft was informed by the researchers and has since addressed the issue. Enterprise Microsoft 365 Copilot environments were not affected. Nevertheless, this attack demonstrates that AI assistants represent a new and complex attack surface, posing serious risks to privacy, compliance, and information security.

How can you reduce or completely prevent this risk?

  • Restrict AI assistants such as Copilot to strictly necessary data (least privilege).
  • Train users not to click on unknown or unexpected links.
  • Implement logging and monitoring of AI interactions, including unexpected follow-up actions and outbound communication.
  • Ensure users understand how prompt injection and indirect AI attacks work.
  • Explicitly include AI assistants in risk assessments, penetration tests, and security policies.
 
Always one step ahead of cyber threats in your industry?
Talk to one of our security advisors or explore our consultancyservices.