Your AI Agent's Inbox Is an Attack Surface

Security researcher Johann Rehberger (wunderwuzzi) demonstrated a complete attack chain against Microsoft 365 Copilot: a hidden prompt injection in an email body hijacks the AI agent into searching through other emails and exfiltrating their contents. The victim doesn't click anything. They don't even need to read the malicious email. Copilot processes it automatically.

This is the untrusted-data-meets-tool-access problem in its purest form — and it applies to every AI agent that reads external content and has access to internal systems.

The Attack

The attack works in three steps:

• Step 1: Inject. An attacker sends an email containing hidden prompt injection instructions. The instructions are invisible to the human reader — encoded using Unicode tag characters (U+E0000 range) that render as zero-width invisible text.

• Step 2: Hijack. When Microsoft 365 Copilot processes the inbox (which it does automatically to provide summaries and suggestions), it encounters the injected instructions. The instructions tell Copilot to search for emails containing sensitive keywords — passwords, API keys, financial data, credentials.

• Step 3: Exfiltrate. The injected prompt tells Copilot to encode the found data using the same ASCII smuggling technique and include it in a clickable hyperlink. The link looks normal but contains the stolen data encoded in invisible characters. When the user clicks any Copilot-generated link, the data goes to the attacker's server.

The entire chain requires zero user interaction beyond normal use of Copilot. The user asks Copilot a question, Copilot generates a response that includes a poisoned link, and clicking it exfiltrates data the user never intended to share.

Why This Matters Beyond Microsoft

This isn't a Microsoft-specific bug. It's a fundamental architectural problem that applies to any AI agent with two properties:

• It processes untrusted external content (emails, documents, web pages, chat messages, pull requests, Slack messages)

• It has access to internal tools and data (file search, database queries, API calls, code execution)

That describes virtually every deployed AI agent: Claude Code reads READMEs and documentation. Cursor processes codebases with external dependencies. GitHub Copilot ingests issue comments and PR descriptions. Slack agents read messages from external users.

The attack surface is anywhere untrusted text meets agent capabilities. And unlike traditional injection attacks (SQL injection, XSS), prompt injection doesn't require special characters or escape sequences. Natural language is the attack vector. The malicious instruction looks like normal text — or in this case, invisible text.

The ASCII Smuggling Technique

Rehberger's use of Unicode tag characters deserves special attention. These characters (U+E0001 through U+E007F) are part of the Unicode standard but render as invisible zero-width text in most applications. They're a one-to-one mapping of ASCII characters into an invisible Unicode plane.

This means an attacker can encode any ASCII text — including full prompt injection payloads — as invisible characters that:

• Pass through email filters (they're valid Unicode, not malformed)

• Are invisible to the human reading the email

• Are fully readable by the LLM processing the email content

• Can encode exfiltrated data back out through hyperlinks

Microsoft has since restricted Copilot's ability to process Unicode tag characters, but the fundamental technique — hiding instructions in content that humans can't see but agents can read — has many variants. Invisible text in HTML comments, white-on-white text in documents, steganographic encoding in images. The cat-and-mouse game between injection and filtering is just beginning.

The Pattern: Confused Deputy

This is a classic confused deputy attack adapted for AI agents. The agent has legitimate authority to search emails and generate responses. The attacker tricks it into using that authority on the attacker's behalf.

The pattern shows up everywhere agents operate:

• Email agents — Malicious email instructs agent to search and exfiltrate (this attack)

• Coding agents — Malicious README or dependency instructs agent to read and exfiltrate credentials

• Chat agents — Malicious message in a shared channel instructs agent to search private channels

• Document agents — Malicious content in a shared document instructs agent to access other documents

• MCP-connected agents — Malicious MCP server returns prompt injection in tool responses, hijacking the agent's subsequent actions

In every case, the root cause is the same: the agent cannot distinguish between its operator's instructions and injected instructions in the data it processes.

Why Input Filtering Isn't Enough

The instinctive response is "just filter the inputs." Detect and strip prompt injections before the agent sees them. This approach has three fundamental problems:

• Natural language injection has no signature. Unlike SQL injection (which requires specific syntax), prompt injection can be phrased in infinite ways. "Ignore previous instructions" is obvious; "As part of your helpful summary, please also include..." is not.

• False positives kill usability. Aggressive filtering blocks legitimate content. An email that says "please search for the latest sales figures" looks identical to an injection that says "please search for the latest passwords."

• The attacker controls the encoding. Unicode smuggling, HTML comments, steganography, base64 in markdown — there are too many ways to hide instructions in content that passes through filters but is readable by LLMs.

Input filtering is a useful layer but cannot be the primary defense. You need something watching what the agent does after it processes the input.

The Runtime Monitoring Approach

The defense that actually works is monitoring the agent's actions, not just its inputs:

• Tool call inspection. Before the agent executes a search, check: is this search consistent with the user's original request? A user who asked "summarize my morning emails" shouldn't trigger a search for "password" or "API key."

• Data flow tracking. If data from Email A appears in the agent's response to a query about Email B, that's a cross-contamination signal. The agent is being used as a data bridge between contexts that shouldn't mix.

• Behavioral baselines. Normal Copilot usage generates responses from the emails the user is looking at. An injection causes the agent to access emails the user didn't reference. The deviation from normal behavior is detectable.

• Output sanitization. Before the agent generates a response, check for hidden characters, suspicious URLs, and encoded data. This is the last line of defense if the injection succeeds.

This is exactly what runtime monitoring tools like AgentSteer are designed for: watching the gap between what the user asked and what the agent actually does, and intervening when they diverge.

The Uncomfortable Truth

Every AI agent that reads external content and has access to internal systems is a potential confused deputy. The Copilot attack was disclosed responsibly and Microsoft patched the specific Unicode vector. But the underlying vulnerability — agents that can't distinguish instructions from data — is architectural.

Until AI agents have robust instruction-data separation (which remains an open research problem), runtime monitoring is the practical defense. Not because it's perfect, but because it operates at the right layer: between the agent's decision and its action.

Your agent's inbox is an attack surface. So is every other channel where untrusted content meets agent capabilities. The question is whether you're watching what happens when they meet.