AgentFlayer: Zero-Click Hijacks Threaten Enterprise AI

Zenity Labs’ Black Hat presentation unveiled a dramatic new class of threats to enterprise AI: “zero‑click” hijacking techniques that can silently compromise widely used agents and assistants — from ChatGPT to Microsoft Copilot, Salesforce Einstein, and Google Gemini — allowing attackers to exfiltrate data, alter workflows, impersonate users, and even maintain persistent control inside an organization’s AI surface. (prnewswire.com, cybersecuritydive.com)

Background​

AI agents — conversational assistants, automated ticket handlers, and tool‑enabled “agents” that read mail, open documents, call APIs, and act on behalf of users — have moved quickly from lab prototypes to everyday enterprise tooling. That shift has dramatically expanded the attack surface for organizations: an agent with access to email, Google Drive, CRM systems, or internal APIs suddenly becomes a high‑value target. Zenity Labs’ research, presented at Black Hat USA 2025 under the label “AgentFlayer,” shows how that attack surface can be exploited without the victim ever clicking, typing, or taking any explicit action. (prnewswire.com, zenity.io)
The problem is rooted in how modern agents assemble context for responses. Retrieval‑augmented generation (RAG) patterns — where agents pull documents, emails, calendar entries, and other external content into the prompt context — are powerful for productivity but open a path for prompt injection, where a maliciously crafted artifact becomes an instruction to the model itself. Zenity demonstrated multiple exploit chains that weaponize that mechanism to achieve full agent compromise. (csoonline.com, wired.com)

---

What the research actually demonstrated​

Zenity’s demonstrations covered several high‑impact scenarios. The most consequential, replicated across multiple vendors and frameworks, fall into a few repeatable categories:

• Email and document prompt‑injection that silently instructs an agent to search connected storage and exfiltrate credentials or files. Zenity showed ChatGPT Connectors being coaxed — via an emailed document — to pull secrets from a connected Google Drive and send them to attacker‑controlled endpoints. (prnewswire.com, cybersecuritydive.com)
• Customer‑support agents built in Microsoft Copilot Studio leaking CRM records and internal tool details; Zenity reported finding more than 3,000 vulnerable Copilot Studio agents in the wild that expose internal tools and data. (prnewswire.com, cybersecuritydive.com)
• Manipulation of Salesforce Einstein workflows so that case creation or routing could be hijacked and communications rerouted to attacker‑controlled addresses. (prnewswire.com, cybersecuritydive.com)
• Calendar and invite‑based “poisoning” that triggers Google Gemini to take actions or reveal contextual information without explicit user consent. Related research has shown how calendar invites can be weaponized to control smart devices or prompt data leaks. (wired.com, prnewswire.com)
• Memory persistence techniques: Zenity claimed techniques to implant malicious memories or model state so that subsequent sessions continue to behave maliciously even after the initial injection. That vertical — persistence inside an agent’s knowledge or session store — is particularly unnerving for defenders. (prnewswire.com)

These are not hypothetical thought experiments: Zenity published working proof‑of‑concept exploit chains and reported coordinated disclosures to the affected vendors. Several companies — including Microsoft, OpenAI, Salesforce, and Google — acknowledged the research and confirmed mitigations or patches. (cybersecuritydive.com, prnewswire.com)

---

Technical anatomy: how zero‑click hijacks work​

1. Retrieval as a double‑edged sword​

Agents use retrieval from connected sources to enrich prompts. That same retrieval can surface attacker‑controlled content that the model treats as instructions. When a document or calendar entry contains embedded or formatted payloads (for example, disguised Markdown or image URLs that carry data), the agent can be tricked into executing the hidden prompt. This is the core mechanism behind many of the exploits demonstrated. (csoonline.com, wired.com)

2. Prompt injection and indirect channels​

Attackers rely on techniques that the model will follow indirectly: embedding directives that look like normal content but instruct the model to locate specific secrets or to format outputs in ways that cause automatic network requests (such as base64‑encoded data embedded in image URLs). The model’s desire to be helpful is the vulnerability. Once the model outputs a crafted URL or image reference, the user’s system or browser may fetch that resource and leak the contained data to the attacker. (bleepingcomputer.com, wired.com)

3. Trusted connectors and scope violation​

Many enterprise connectors (Google Drive, SharePoint, email, Teams) are implicitly trusted by agent frameworks. If a malicious artifact resides within a trusted domain or is retrieved as “relevant,” it can bypass external domain blocks and other network controls. That trust model creates LLM scope violations where the agent leaks internal artifacts because its retrieval logic deems them contextually relevant. (bleepingcomputer.com, csoonline.com)

4. Memory persistence and implanted state​

Some agents keep short‑ or long‑term memory to improve continuity. Zenity’s demonstrations included implanting malicious memories so the agent would continue to act maliciously across sessions — effectively granting an attacker long‑term presence inside the AI surface. Persistence makes detection and remediation much harder; it transforms a single exploit into an enduring foothold. (prnewswire.com)

---

Why this matters to enterprises​

These exploit classes are not mere nuisance bugs. They change the adversary model:

• Silent data exfiltration at scale. Zero‑click attacks can be automated and executed en masse — a single poisoned document or invite could be delivered programmatically to thousands of employees, turning each connected agent into a potential leakage channel. (prnewswire.com, bleepingcomputer.com)
• Operational sabotage and fraud. Compromised agents handling customer cases, billing, or support workflows can reroute funds, alter records, or mislead staff and customers in ways that are difficult to trace because actions originate from a trusted automation layer. (prnewswire.com)
• Identity and impersonation risks. If an agent can be instructed to impersonate a user — sending emails or messages that look legitimate — it becomes an insider threat without physical presence. That increases the difficulty of detecting social engineering attacks that now come from a system identity. (cybersecuritydive.com)
• Long‑term misinformation. Memory persistence amplifies the risk of sustained misinformation campaigns inside an organization’s AI—poisoned memories can be repeatedly used to bias future decisions, recommendations, or reporting. (prnewswire.com)

These impacts are particularly acute where agents are trusted to make or support critical decisions, such as incident triage, ticket routing, financial approvals, and customer communications. The broader implication is that traditional perimeter security and endpoint defenses are not sufficient when the “user” is an AI with cross‑system privileges. (cybersecuritydive.com, csoonline.com)

---

How major vendors responded (and what they changed)​

Zenity disclosed findings to vendors and coordinated fixes; public responses indicate immediate mitigation activity.

• Microsoft said the reported behavior was no longer effective thanks to ongoing platform improvements and reiterated Copilot’s built‑in access controls and safeguards. Microsoft also pointed to prior mitigations that addressed similar echo/exfiltration vectors. (cybersecuritydive.com, csoonline.com)
• OpenAI confirmed engagement with Zenity and issued a patch for ChatGPT Connectors; the company emphasized its bug‑bounty program for responsible disclosures. (cybersecuritydive.com)
• Salesforce reported it fixed the reported Einstein routing issue. (cybersecuritydive.com)
• Google said it had recently deployed layered defenses against prompt‑injection‑style attacks and encouraged defense‑in‑depth strategies to mitigate such risks. Independent demonstrations of calendar invite and document weaponization spurred additional hardening. (cybersecuritydive.com, wired.com)

Those responses are meaningful, but vendor fixes vary: some are platform‑level mitigations, others are specific rule updates. The distributed and evolving nature of agent deployments — many built using vendor frameworks but configured and extended by customers — means that responsibility is shared and that a patch from the platform provider may not fully protect a misconfigured or third‑party‑extended agent. (prnewswire.com, csoonline.com)

---

Strengths and limitations of the research​

Zenity’s work is notable and timely. Strengths include:

• Demonstration of working exploit chains across multiple vendor ecosystems, showing real feasibility rather than theory. (prnewswire.com)
• Clear articulation of persistence techniques and the “agent as target” model, reframing attacker goals. (prnewswire.com)
• Coordinated disclosure and vendor engagement, which led to rapid mitigations in several cases. (cybersecuritydive.com)

Limitations and caveats to consider:

• Proof‑of‑concept demonstrations do not equate to observed mass exploitation in the wild; vendors and independent reporting so far indicate mitigation and no confirmed large‑scale abuse in production deployments tied directly to these PoCs. However, the absence of detected exploitation does not imply the techniques are harmless or unusable by motivated attackers. (cybersecuritydive.com, bleepingcomputer.com)
• Some detailed technical claims — for example, the exact mechanisms of long‑term memory persistence within proprietary agent platforms — are inherently harder for third parties to fully verify without vendor telemetry. Where Zenity reports persistence, organizations should treat that as a demonstrated capability in lab conditions that requires validation in each operational context. (prnewswire.com)

It’s important to strike a balance: the research highlights credible, repeatable vectors that should change defensive postures, but remediation requires careful, contextual engineering work rather than one‑size‑fits‑all patches. (csoonline.com)

---

Practical defenses: an agent‑centric security checklist​

Defenders must adopt an agent‑centric approach that treats AI agents as first‑class controlled services. The following measures form a practical starting point:

• Harden connectors and retrieval: restrict which storage and domains agents can query; enforce strict allowlists for sources that can be retrieved at runtime. (csoonline.com)
• Sanitize and validate retrieved content: implement content filters that remove or neutralize active elements (scripts, Markdown constructs, exotic image URLs) before they are passed into model context. (wired.com, csoonline.com)
• Limit agent privileges: follow least‑privilege principles. Agents should not have broad, persistent access to entire drives, CRM exports, or admin APIs unless explicitly required. Use short‑lived tokens and scoped service identities. (csoonline.com)
• Control memory and state: do not allow arbitrary long‑term memory writes; maintain auditable, human‑reviewable memory entries and provide explicit retention and purge policies. (prnewswire.com)
• Output filtering and network controls: block automatic fetching of external resources from agent outputs, or sanitize outputs to eliminate channels that can signal to external servers (for example, by disallowing inline URLs with embedded data). (bleepingcomputer.com, wired.com)
• Monitoring and anomaly detection: instrument agents with audit logs, behavioral baselines, and alerting for unusual queries to internal systems or unexpected outbound connections. (csoonline.com)
• Vendor and supply‑chain review: assess how vendor frameworks implement guardrails; test vendor claims in sandboxed environments and require security SLAs for enterprise deployments. (zenity.io, prnewswire.com)
• Start with an inventory of deployed agents and connectors.
• Prioritize agents with the highest privileges or widest reach (CRM, finance, legal).
• Apply the mitigations above and validate with adversarial testing (red‑team exercises focused on prompt injection). (prnewswire.com, csoonline.com)

---

Incident response and threat modelling​

When an agent is suspected of compromise, rapid containment differs from a typical endpoint incident:

• Assume compromise of agent credentials and connectors; revoke tokens and rotate keys immediately.
• Snap agent‑to‑system bindings — temporarily isolate the agent from high‑risk resources (Drive, CRM, admin APIs).
• Capture and preserve agent logs and retrieved content for forensic analysis, including model prompts and responses if available.
• Treat implanted memories as potential persistence mechanisms; inspect and scrub any learned state stores or memory caches.
• Conduct a full business process impact assessment: identify messages, automations, or workflows the agent has touched and verify integrity. (prnewswire.com)

Threat modeling for agents should include data classification, identification of connector scope, and explicit mapping of “what the agent can do” versus “what the human can do.” That mapping helps set realistic guardrails and detect deviations quickly. (csoonline.com)

---

Governance, policy, and the human element​

Technical controls alone are insufficient. Organizations must update policies and training:

• Define an AI‑use policy that restricts which agents can access what data and under which approvals.
• Require change control for agent configuration and any addition of new connectors or memory features.
• Train staff to treat agent outputs critically and to use validation steps for actions with financial, legal, or reputational impact.
• Build vendor accountability into procurement: require transparency on how retrieval, output filtering, and memory are implemented and ask for attestations around prompt‑injection mitigations. (prnewswire.com, zenity.io)

---

Future risks and the regulatory angle​

As agents become more autonomous and embedded in workflows, regulators and auditors will demand stronger controls. Expect:

• Increased scrutiny on data governance around RAG systems and mandatory reporting for AI‑driven data breaches.
• Standards and best practices for agent design that include content sanitization, connector allowlisting, and memory management.
• Insurance and compliance implications: organizations that fail to treat agents as privileged systems may face tougher regulatory or contractual consequences. (cybersecuritydive.com, zenity.io)

Attackers will also iterate: the same techniques that weaponize documents and calendar invites for exfiltration could be adapted for deception, fraud, and supply‑chain compromise. The speed of attacker innovation argues for continuous testing and defensive evolution. (wired.com)

---

Conclusion​

Zenity Labs’ AgentFlayer research is a watershed moment for enterprise AI security: it converts a conceptual risk — agents as attractive targets — into repeatable, demonstrable exploit chains that bypass human interaction. The work underscores that agents are not simply software endpoints; they are privileged actors in enterprise systems and must be secured accordingly. (prnewswire.com, cybersecuritydive.com)
Defensive progress is already underway — vendors have patched vulnerabilities and emphasized layered defenses — but this is only the start. Organizations must move quickly to inventory agent deployments, impose strict connector governance, sanitize retrieved content, minimize privileges, and instrument robust monitoring. Without an agent‑centric security posture, enterprises risk letting attackers compromise an AI instead of a human, creating silent, persistent, and high‑impact insider threats. (cybersecuritydive.com, csoonline.com)
Caveat: some claims in vendor and vendor‑independent writeups reflect mitigations or lab demonstrations rather than documented, large‑scale exploitation in the wild; defenders should treat the research as a clear call to action and validate controls in their specific environments before assuming complete protection. (bleepingcomputer.com, prnewswire.com)

---

---

Source: CIO Dive Research shows AI agents are highly vulnerable to hijacking attacks