📖 4 min read

Your AI assistant just became an attack vector. Microsoft patched a flaw this week that let attackers hijack Copilot sessions with a single click — no malware, no plugins, just one legitimate-looking link. I had to read the Varonis report twice. The simplicity is what got me.

This is exactly what we're hearing from the network. AI + security concerns have nearly doubled — from 7% to 14% of priority submissions in six months. We're not inferring concern from headlines. We're seeing it in buying behavior.

Two stories this week. Both demand action before Monday.

Security researchers at Varonis discovered "Reprompt" — an attack that let hackers silently exfiltrate data from Microsoft Copilot using nothing but a malicious URL. Click the link, and Copilot starts answering the attacker's questions: What files did you open today? Where are you located? What's in your chat history?

The attack bypassed Copilot's data-leak protections entirely. Microsoft's safeguards only applied to the first request. By instructing Copilot to repeat actions, attackers could exfiltrate data continuously — even after the user closed the chat window. The session persisted. The exfiltration continued. No alerts fired.

This wasn't a theoretical proof-of-concept. Varonis demonstrated full data extraction: names, locations, file references, conversation history. All from one click on what looked like a legitimate Microsoft URL.

Microsoft patched the issue on January 13. Enterprise M365 Copilot customers were not affected — this time. But the attack pattern is universal: any AI assistant that accepts URL parameters is a potential exfiltration channel.

Source: Varonis / The Hacker News

🔐 CISO Take: The patch matters, but the lesson is bigger. AI assistants collapse traditional trust boundaries. A "legitimate" link from a trusted domain triggered invisible data theft. This week: audit which AI tools accept auto-populated prompts via URL. Add Copilot/ChatGPT URL parameters to your DLP monitoring. If your security stack can't see what your AI assistants are doing, you have a blind spot.

💻 CIO Take: Push the January Windows cumulative update immediately — don't wait for your normal cycle. Then ask the harder question: do you have visibility into which personal AI accounts employees are using from corporate devices? Shadow AI isn't just a governance problem anymore. It's an exfiltration vector.

📡 Network signal: One CISO submitted this week: "I am looking for tools that would allow us to gatekeep our AI agents and workflows to keep a human in the loop to reduce the risk associated with activities." That's exactly the gap Reprompt exploited — no human ever saw the malicious instructions.

January's Patch Tuesday dropped 114 vulnerabilities. One zero-day (CVE-2026-20805) is already being exploited. But that's not the number that matters.

Microsoft flagged eight vulnerabilities as "exploitation more likely." That's the signal most organizations miss. These aren't Critical-rated headline grabbers — they're 7.8 CVSS privilege escalation flaws in Windows Installer, Error Reporting, NTFS, and Common Log File System. The kind attackers chain together after initial access.

The exploited zero-day affects Desktop Window Manager. It leaks memory addresses that help attackers bypass ASLR — a protection that randomizes where code lives in memory. By itself, it's a 5.5 CVSS information disclosure. Combined with the eight "exploitation more likely" flaws, it's a full attack chain waiting to happen.

CISA added CVE-2026-20805 to the Known Exploited Vulnerabilities catalog within hours. With NTFS flaws now publicly discovered, the gap between patch and exploit is shrinking.

Source: BleepingComputer

🔐 CISO Take: Don't just patch the zero-day. Prioritize the eight "exploitation more likely" flaws — CVE-2026-20816 (Installer), CVE-2026-20817 (Error Reporting), CVE-2026-20820 (CLFS), CVE-2026-20840 and CVE-2026-20922 (NTFS). These are the stepping stones. If attackers get initial access this month, these are the vulns they'll chain.

💻 CIO Take: The January patch also removes vulnerable third-party Agere modem drivers. If you have legacy hardware dependencies, you'll need alternatives. Test the update on a representative sample, but don't delay — "exploitation more likely" flaws rarely stay theoretical for long.

📡 Network signal: A VP of IT submitted: "Looking for a product to assist us with device hardening, framework adoption, and establishing secure baselines for machines." Patch Tuesday is the monthly reminder: baselines need updating constantly.

This week's signal: AI security isn't theoretical — it's operational.

Mentions of AI alongside security concerns have nearly doubled since mid-2025. In the last 90 days, 14% of priority submissions reference both AI and security/threat concerns, up from 7% in the first half of the year.

One quote captures it:

The Reprompt attack proves the instinct right. When AI assistants can be hijacked with a URL parameter, "human in the loop" isn't governance theater — it's a security control that was missing.

Leaders are buying accordingly. This is the signal we track.

What's your AI governance gap? Reply and tell me — I read every response.

DoGood connects IT leaders with vetted vendors. You control your calendar. Every meeting is opt-in, pre-screened, and paid.

5,000+ members. $24B average company revenue. No spam, no cold calls — just meetings you choose to take.

Apply to Join →

/

The CXO Brief is published weekly by DoGood. Was this forwarded to you? Subscribe here.