AI/ML, Generative AI, Attack surface management, Network Security

Four ways to build a defensive approach against agentic AI threats

A futuristic white robot with copper detailing carefully analyzes and traces routes on an antique cartographic map.

(Adobe Stock)

COMMENTARY: Imagine a world where a single email could contain invisible instructions designed to execute a major data breach. No need for the victim to open an attachment, click on a link, or even open or read the email.

Actually, we don’t need our imaginations because this has already happened in the form of June 2025’s ‘EchoLeak’ (CVE-2025-32711), a critical 9.3 vulnerability discovered lurking in the Microsoft 365 Copilot widely deployed on millions of enterprise PCs.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Here's how it works: A user receives an innocuous email. Later, the user asks Copilot to perform a general task, for example summarize recent emails. During this, Copilot analyzes the email, inside of which is hidden instructions to gather data from other emails, SharePoint servers, or OneDrive, and send them to the attacker.

Conceptually elegant, and it’s not only for emails. The same indirect prompt injection would work just as well if embedded in the metadata of a website, SharePoint page, Teams chat, or Office document. With no alerts to tell victims something has gone wrong, EchoLeak counts as the world’s first ever “zero-click” prompt hack exploiting a chatbot AI agent.

EchoLeak shows us that the threat posed by AI is not simply for the future: we are already living in this world today.

And EchoLeak isn’t the only example of this technique. In September, we discovered a similar and even more troubling zero-click flaw: ShadowLeak, a bug in ChatGPT's Deep Research agent.

This one also lets an attacker execute an indirect prompt injection attack on a target using nothing more complex than a simple email. However, while EchoLeak relied on Copilot as an intermediary, ShadowLeak showed how attackers can directly steal sensitive data from OpenAI’s servers without the involvement of the ChatGPT chatbot, something that would make it even more difficult to detect.

How the attack surface keeps expanding  

In cybersecurity, the metaphor of the attack surface often gets used to visualize a vulnerability. In the mainframe era, the attack surface was small. The PC expanded this, followed by another jump with the internet. Today, we have invented so many new attack surfaces — cloud, IoT, shadow IT, 5G, and the software supply chain — the tech industry struggles to keep up.

EchoLeak and ShadowLeak demonstrate that the attack surface of a chat agent has gotten as large as the prompts it can process. Given that it’s natural language it’s inestimably vast. Large language models (LLMs) have guardrails to limit this, but researchers have shown that attackers can jailbreak them by socially engineering the LLM with clever language or context.

The big question: what can attackers realistically do with it?

Despite the discovery of these vulnerabilities, we’re looking at a narrow scope for damage. AI agents are not ubiquitous, and we don’t yet depend on them. Organizations, governments, and citizens are still experimenting with how best to use AI.

But with massive investment in AI being made by cloud providers and enterprises, we’re just looking at temporary relief. New infrastructure will make AI more useful, but also dramatically expand its attack surface. That arguably happened for every digital innovation over the last 50 years, but AI has changed the equation.

First, it’s difficult to see this new attack surface — it took researchers and some effort to notice EchoLeak and other major AI bypasses. Second, AI is not just a tool anymore. Very soon, agentic AI could become an interface for the entire digital economy, largely replacing the web.

Please don’t despair: we can take steps to protect ourselves as long as we are motivated to act. Here are some steps organizations can take:

  • Expand the red team: It’s hard to imagine how cybersecurity could function without these rarely thanked researchers. Red teamers are the ones who take the time to uncover weaknesses, develop proofs-of-concept, and conduct organized research. Just as bug bounties have incentivized researchers to find vulnerabilities in code, organizations should expand these programs to cover Agentic AI systems by creating incentives and formal collaboration channels. Although EchoLeak and ShadowLeak were reported by professional researchers working for the greater good, it’s essential that independent researchers are incentivized more generally through well-resourced bug bounties.
  • Put AI experts on the board: Like the cloud before it, there’s no shortage of hype that AI will transform business. We saw where this led with the cloud — avoidable mistakes that have fueled a new generation of data breaches. We won’t fix this simply by hiring more skeptical CISOs. Boards need dedicated AI fluency, with experts who can guide strategy and governance at the highest level. AI will get some organizations into very hot water and now’s the time to put AI knowledge on the board, not later on after a major incident.
  • Invest in defensive AI systems: Conventional defenses have no chance against prompt-based attacks almost infinite in their scope and variety. Likewise, conventional LLM guardrails will also fail at some point. Organizations should invest in defensive AI systems capable of detecting malicious prompts and probing agents for jailbreaks and exploits, an approach that is already starting to appear in early products. Companies that treat defensive AI as optional will leave enterprises exposed. We have to view it as a necessary part of modern security architecture.
  • Demand greater AI transparency: Despite the rise of the open AI movement, a lot of big AI still feels like a proprietary black box. It’s a dangerous path. Experts are right to argue for global norms in AI development just as they are right to argue that technical controls such as an AI software bill of materials makes sense.

Our industry needs to have more transparency about what AI model makers are doing to prevent abuse. We shouldn’t push the need for accountability and transparency in AI down the road because that seems convenient today.

AI has expanded the attack surface — and that’s why the industry needs more effective, defensive AI security.

Pascal Geenens, vice president, cyber threat intelligence, Radware

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Pascal Geenens

Pascal Geenens is the Director of Threat Intelligence for Radware. He helps execute the company’s thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology. As part of the Radware Security Research team, Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, performed extensive research on Hajime, and closely follows new developments of threats in the IoT space and the applications of AI in cyber security and hacking.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BandwidthBorder Gateway Protocol (BGP)BridgeBroadcastBroadcast AddressCache PoisoningCellComputer NetworkCut-ThroughDemilitarized Zone (DMZ)

You can skip this ad in 5 seconds