CyberWire Daily - Data leak without a click. [Research Saturday]
Episode Date: September 13, 2025Today we are joined by Amanda Rousseau, Principal AI Security Researcher from Straiker, discussing their work on "The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive ...with One Email." Straiker’s research found that enterprise AI agents can be silently manipulated to leak sensitive data, even without user clicks or alerts. By chaining small gaps across tools like Gmail, Google Drive, and calendars, attackers achieved zero-click exfiltration, system mapping, and even policy rewrites. The findings highlight that excessive agent autonomy creates a new attack surface, requiring least-privilege design, runtime guardrails, and continuous red-teaming to stay secure. The research can be found here: The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington.
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMV Rising.com to secure your spot.
At TALIS, they know cybersecurity can be tough, and you can't protect every.
thing. But with TALIS, you can secure what matters most. With TALIS's industry-leading platforms,
you can protect critical applications, data and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on TALIS to protect what matters most. Applications, data, and
identity. That's TALIS. T-H-A-L-E-S. Learn more.
at talusgroup.com slash cyber.
Hello everyone and welcome to the Cyberwires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting our
in our rapidly evolving cyberspace.
Thanks for joining us.
So we tried to approach it in a way where we have kind of multimodal attacks.
It's not just a simple prompt injection.
Now that we have the, I guess, influence of agentic AI, right?
So we have agents that can do web searches, can look at the,
Google Drive, look at your email.
This kind of brings in that traditional cyber security factor there.
What are the security boundaries, right?
That's Amanda Russo, principal AI security researcher from Stryker.
The research we're discussing today is titled the Silent Exfiltration,
zero-click agentic AI hack that can leak your Google Drive with one email.
So we wanted to look into how can we cross those security boundaries through just prompts,
either indirect prompts or direct prompts.
So the term silent exfiltration, what are we talking about with that?
So with silent exfiltration, say you have an agent connected to your email or your Google Drive
and you say, hey, can you summarize all of my email?
can you summarize the documents that are in my Google Drive or can you help me search for one?
And as it's going through doing those summaries, it's going to be looking at the text content.
And in that text content, there's going to be indicators for parsing or even, you know, prompt indicators that it will automatically pick up.
And this is not something that the agent intended to do.
this is kind of part of that, you know, excessive agency that we mentioned in the blog.
So it'll automatically look at the content there and, you know, try to run Python's code,
try to use the prompt.
So a lot of these things is trying to figure out, you know, input sanitization or, you know,
putting guardrails around what kind of content is actually consuming.
well you will refer to this as a zero-click hack what's what's so alarming about that particular
aspect of it yeah so with zero something with zero click say you're you have your agent connected
and you get an email or a Google Drive document that has a prompt injection in there
and you were to say hey summarize all of my email it will go in and even though you weren't
Intending to, you know, access that malicious email or a malicious document, it'll automatically
exfiltrate either all your email, all your Google Drive documents out to a C2 or a collection
server without your knowledge. It'll all do it on the back end with where the agent is processing.
And is this sort of the fundamental issue with agentic AI that it seems to me like it sort of takes
down the borders between the various apps on your system.
Right, right.
There's no rules.
There's no rule detection.
Like there is like a WAF or something.
It's all about, you know, coercion or, you know, asking it to do something that it normally
doesn't do, relying on its parsing failures, trying to deceive it.
Like, say you want to do a role play or something and it'll try to, you know, get around
those guard rails. So it's it's no longer like a cut and dry traditional cybersecurity or
antivirus, you know, rule. There's going to be a lot more changes in how we protect these
things. What makes email such a powerful vector in this particular case? Well, you are at the
mercy of the email filtering for that particular provider, right? If there's email that is coming
through and it's getting, you know, summarized by your AI agent. There's no extra guardrail
there saying, hey, you know, I shouldn't look at my spam email. I shouldn't look at the content in this
email. Or maybe it doesn't have like an external indicator that it's from an external party. Maybe
it was an insider. You know, you don't know, you don't have that human element of discerning between
like a good email and a bad email. And I don't think we're at the point yet where we have email rules
that filter prompt injections, not yet.
Can you help me understand the potential scope of this?
I mean, let's say I'm the bad actor
and I put some sort of a prompt injection
in an email that I send to you.
Is the sky the limit here
on what I can do on your machine?
Or where do you suppose the edges are?
What capabilities does the agent have?
Like, can it do web search?
Can it access the web? Can it do post-request and get requests? Can it do Python code execution?
Can it make documents? Can it have access to the file system? So a lot of these are where, you know, the security boundaries are and how much you allow that agent to perform those things.
So for instance, you know, even though it was unattended that you wanted to execute Python, you know, is it possible?
to do like a Python interpreter breakout through just like a prompt injection from an email,
and then you could own the whole, you know, backend system there.
It's kind of merging between traditional cybersecurity like hardening for these tools that
the agent is using. And on top of that, from the AI side, is having those guardrails to
recognize when it's being abused.
Well, in your research, to what degree is this, you're,
speculative or potential and how much have you actually tried it out and seeing how effective it
can be? From the blog, this is actually our work making these red teaming scenarios both in
enterprise and in our research lab. There's only so much we can talk about publicly, but a lot of
this comes from like real life attacks that we've administered ourselves. I see. What are your
recommendations then? I mean, how do folks best protect themselves against this sort of thing?
Yeah, it's going to be, you know, how much do you trust that AI agent, right? In an enterprise
environment, are you going to have some type of guardrails around the traces of the AI? It's
through its conversations, similar to like the product that we're trying to push out? And also,
have you really taken a look at hardening the tools that it's using?
You know, are you putting your code interpreter into a properly hardened sandbox or a container?
You know, what type of request do you allow for web searches?
Are there any guardrails about inputs and capabilities for touching documents and emails?
Can you send emails?
Can you delete emails?
You know, it's possible that you can get an email that says delete all emails, right?
But if you don't have that guardrail in there that says, no, we won't allow the AI agent to delete anything.
you know, it's all about how you configure that.
We'll be right back.
At Talas, they know cybersecurity can be tough and you can't protect everything,
but with Talas, you can secure what matters most.
With Talas' industry-leading platforms, you can protect critical applications,
data and identities, anywhere,
and at scale with the highest
ROI. That's why the most
trusted brands and largest banks,
retailers, and health care companies
in the world rely on
TALIS to protect what matters most.
Applications, data, and
identity. That's TALIS.
T-H-A-L-E-S.
Learn more at
talusgroup.com
slash cyber.
to exclusive Amex pre-sale tickets
can score you a spot track side.
So being a fan for life
turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events
subject to availability and vary by race.
Terms and conditions apply.
Learn more at amex.ca.
slash Yannex.
Yeah, it strikes me that email is
it's such an interesting vector
because you know, you get incoming stuff
from all sorts of different places.
They're not really vetted ahead of time.
And I suppose you do have filtering for spam and so on.
But it's an odd thing on our computers
where we kind of let stuff come in, right?
And in this case, through the agentic AI,
we're enabling the activation of other actions
through what previously had been just sort of a benign function of email.
Am I on the right track there?
Yeah, yes. So it's not necessarily like a click, like cut and dry. I click a button. It does that thing. It's now like conversation, social engineering, traditional social engineering with an AI agent, at least from my point of view, coming from the security background.
Yeah. Where do you suppose we're headed with this? I mean, you can see the potential benefits of agentic AI, but there's this flip side, right?
Yes, yes. And with any new technology, there's going to be the downsides, right? It's growing pains with trying to secure it. So we're moving so fast that now we have more solutions out there to help protect or add guardrails to these things. The best thing to do is jump on it early, do an assessment of how you're using your agentic AI and try to get that set up before something else happens like you.
have complete exfiltration of your internal infrastructure, right?
Well, help me understand what that looks like, what the limitations look like.
In other words, am I putting limits on the agentic AI itself, or is this another security layer
that goes on top to keep an eye on the agentic AI, or is it a mix of all those things?
I think it's going to be layered.
It's going to be a mix of all those things.
You're going to have to have some type of logging.
You know, if you're an instant responder, how are you going to figure out how the exfiltration happened, right?
Are you going to be following the tools?
Are you going to be following the AI traces?
Are you going to be looking at the person who's actually doing it?
All of these things, there's got to be data somewhere, right?
And you've got to be making, you got to make sure you have that in your infrastructure.
On top of that, there's like layers of security based off the tools that it's using or your MCP servers or
whatever it has access to, and then you have the AI layer, which is the AI-related guardrails
for using those tools.
I'm curious, as a security professional, how are you looking at all this?
Like, what's your outlook here?
How do you feel?
How do I feel?
You know, when I moved over to this company, it was an opportunity for me to explore the AI space,
but bringing my security background.
And I feel like it's the Wild Wild West, to be honest.
It's like a lot of security, traditional security concerns in this type of infrastructure.
Like recently, I just got a sandbox scheme with Python interpreter.
So, and it was just through conversation, right?
So for me, it's like, it's like a fun puzzle.
Like, how can I trick the AI today on how I can get to where I want?
Right, right. And at the same time, it seems to me like, as you say, it's the Wild West,
but there's this huge green field where we don't know what we don't know so far.
So I suppose there's excitement in that realm of discovery, but at the same time, a little trepidation at the same time.
Yes, yes. It's both scary. It makes me realize, like, if I were to implement my own agent, how would I, you know, protect it?
If I'm just using it for personal research.
And then if just imagining it in an enterprise, it's like, man, I'm going to have to like look at the whole infrastructure to make sure that this thing is safe.
So it's just an unexplored field.
And I feel like there could be a lot of, you know, new research and new discoveries in this area.
Yeah.
It also strikes me the people who would benefit from this sort of thing.
I can imagine the early adopters of Agentic AI being high-level executives because their time is so valuable, but at the same time, they're the ones who have the keys to the kingdom.
Yes, yes. It does save you time, for sure. But at the same time, you know, with speed, there's also going to be a cost for security, right?
So we definitely need to jump on that now.
And I feel like this is the era of where agentic security is just blooming.
And so what is available out there for folks right now who are curious about agentic AI?
What are the offerings that are out there to help protect them in these early days?
Yeah.
I mean, with Stryker, we have a lot of companies that are in the same industry.
They're going to be about, you know, prompt injection protections, guardrails.
But for agenic AI, it's going to be a layering for folks that have that traditional security background.
And then you're working with someone who's in AI, who knows the AI side.
And that's pretty much what my team has made up of is that mixture of traditional security folks and AI folks.
I don't know if there's, you know, a true end-all solution yet because it's just starting, right?
Right.
And everybody's going to implement their own framework.
There's so many MCP servers out there that, you know, haven't been scanned, haven't been looked at yet.
Is it, you know, do we just roll in with any MCP server and put in our agent?
We don't know what it does.
Right.
So there's kind of like, are we going to have, you know, going down the line, are we going
have to sign MCP servers or assign tools that are we know that are good. You know, how do we track
their supply chain as well? Right. I also try to imagine the out-of-the-box offering of this.
For, you know, the mere mortal, the every, you know, normal computer user who wants to take
advantage of this sort of thing, it's hard to imagine what that's going to look like in an
effective way to put meaningful guardrails on them. Right, right.
And I would say the larger AI agentic offerings are probably going to have that infrastructure to do those guardrails and they have teams that, you know, constantly fix these problems.
But when you get into the smaller, like, I'm going to roll my own O Lama, GPT OSS or Lama 2 or whatever, and you do that locally, you know, you don't have that capability to put in guardrails.
Like, what do you do then?
So I think it's all about picking and choosing your battles there or just throw it all into a sandbox, you know?
Right, right.
Well, I mean, looking back at the research here, what do you hope that people come away from having read it?
What I hope to come away with is I want AI researchers, both the people developing and the people protecting, to realize that it's not just, it's not just,
prompt injections anymore. It's going to be multimodal, multi-turn attacks. So one of the things I've found
is that, you know, if you do multi-turn attacks, it's easier to extract information out of there
rather than just one end-all be all prompt. So it's not just this cut and dry. I try to social
engineer with one prompt. No, it's going to be multiple different routes depending on what capabilities
that agent has to craft these attacks.
And you're just going to have to put a layer on every part of it,
a layer of security on every part of it.
Yeah.
And if there's one thing we know about adversaries,
is that they have patience.
Mm-hmm. Mm-hmm.
Yeah.
So can you give me an idea of what the spectrum of offerings are out there?
What sort of tools are available to people right now?
well you know with my company obviously we our product focuses on solving these problems
there are others like us out there that you know you can look for similar solutions
but you know we we really strive to look at agentic AI as a whole and solve a lot of these
security problems so amanda what is the best way for folks to find out more about
about this? Reaching out online?
Yeah. So on our blog at striker.a-I-I-K-E-R-A-I-K-E-R-A-I, we have a lot more research that we've
been putting out more topics about agentic AI. So if you have any more questions,
you know, they can reach out and ask us directly and we'd be happy to answer those.
Our thanks to Amanda Rousseau from Stryker for joining us.
The research is titled The Silent Exfiltration,
Zero-Click Agenic AI hack that can leak your Google Drive with one email.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we'll be.
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you.
Thank you.
Thank you.
Thank you.
I don't know.