🔍AI RiskAtlas
← Scenario library

The Email That Gave Orders

A support email hides instructions — and the assistant obeys them

Technique first revealed 23 Feb 2023

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoal🧑User🎛️Orchestrator /Agent Loop🧠LLM🔐Identity &Permissions🔧Tool RuntimeHuman ApprovalGate🔌External APIs🗄️BusinessDatabase🌐UntrustedContent📝Audit Logging🌐Attacker email🌐Attackermailbox
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect
SetupStep 1 / 6

A perfectly ordinary request

The user opens their assistant and types one plain sentence: please look through my newest support emails, summarise them, and sort them by how urgent they are. Nothing about this request is suspicious — it's the kind of thing they ask every morning.

💬User's chat messageprompt
Hey — can you summarise and triage my latest support emails? Group them by urgency and draft quick replies to the easy ones. Thanks!

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗