An AI agent can be attacked by an email you never open. No click. No download. No opened attachment. Just a “confused deputy,” an agent that has failed to distinguish a prompt from data, a problem known as prompt injection.
Three Prompt Injection Vulnerability Examples
Security researchers recently demonstrated prompte injection mechanisms with ShadowLeak: a single email containing hidden instructions. When the recipient later asked ChatGPT’s Deep Research agent to review Gmail, the agent read the hidden prompt and quietly exfiltrated inbox data from OpenAI’s cloud — where ordinary endpoint defenses would not detect it.
A later Claude.ai demonstration required even less. Researchers at Oasis Security showed how hidden instructions, triggered via a Google search-and-ad path, could be chained together to extract a user’s private conversation history. No integrations. No MCP servers. A default account.
Then came another warning sign (also explained in the Oasis Security article): researchers at PromptArmor demonstrated how a malicious document could prompt Claude Cowork to upload confidential files via the agent’s own authorized access.
The Pattern

Different products. Different attack paths. Same basic problem.
The agent reads untrusted content. The content contains hidden instructions. The agent has permissions. The attacker tries to make those permissions work for them.
Some of these specific vulnerabilities have been patched. The point is that prompt injection is not just another software bug waiting for next quarter’s update. It is a recurring security problem built into the basic design of agentic AI.
An agent that reads thousands of emails, PDFs, websites, and file attachments faces a constant stream of potential attacks. One success can mean the disclosure of client confidences, a waived privilege, or a missed deadline.
My article “Prompt Injection: What Lawyers Considering Agentic AI Must Know” provides a broader overview of these issues.








