The Silent Exfiltration: Zero‑Click Agentic AI Hack That Can Leak Your Google Drive with One Email

Here’s a real scenario: Your CEO gets an email. They never open it. But behind the scenes, an AI agent linked to their inbox does… and within seconds, sensitive files across Google Drive are exfiltrated. No clicks. No alerts. Just silent compromise.

This isn’t a theoretical weakness.

At Straiker, our Ascend AI product has been used to test various enterprise agentic AI applications that simulate real-world scenarios CISOs worry about most: prompt injection, tool abuse, cross‑context pivots, and stealth data leaks.

The result? These findings reveal that AI agents can be quietly manipulated to access and leak data in ways most research has yet to document.

What makes these attacks possible?

It’s not just clever prompts, it’s excessive agent autonomy. We describe this as AI systems trusted to browse, summarize, and act on our behalf, often with too much freedom and too little oversight.

Straiker's Methodology: Red‑Teaming the Agent, Not the User

The Straiker AI Research (STAR) team conducted systematic evaluations of LLM-based enterprise agents. Our customers had agents that had various foundation-model back-ends, and a heterogeneous tool surface (MCP orchestration, Google Drive I/O, web-search wrappers, and custom domain APIs). For every permutation, the target agent was assessed within its actual customer deployment context, where we encountered environments representative of real-world operations: Gmail inboxes populated with live traffic and phishing noise, tiered Google Drive repositories containing PII-bearing HR files and confidential financial decks, and Google Calendar instances pre-loaded with recurring meetings, Zoom links, and reminder web-hooks. This real-world testing approach allowed us to execute end-to-end kill-chain scenarios.

What really set our testing apart was how we approached the threat perspective. Our methodology doesn’t just ask whether an attacker could trick the agent, instead, it explores how an attacker might chain small gaps into larger breaches.

We focused on three high-risk scenarios:

To make it realistic, we simulated four kinds of attacker personas:

• A malicious internal user or compromised account issuing direct prompts.
• An external attacker sending hidden payloads inside emails, calendar invites, or uploaded files.
• A hostile website the agent might visit while browsing.
• A compromised plugin or third-party tool seeking to escalate privileges.

At every step, we logged the agent’s reasoning, tool usage, and external calls to create a complete forensic record. This let us see not just if an attack succeeded, but how it unfolded and why.

What we discovered wasn't simply that agents could be tricked. Excessive autonomy meant they could act far beyond what most teams expect. A single prompt could trigger a chain reaction: browsing, summarizing, fetching files, and uploading data externally, all without human review.

What Shocked Us Most about Excessive Agent Autonomy

Our testing showed how excessive agent autonomy turns small gaps into major breaches:

• Zero‑Click Exfiltration: A single unseen email could silently trigger the agent to summarize inboxes and pull Google Drive files, leaking them externally without user action. The success rate reflects the proportion of controlled attack simulations where the agent actually followed the hidden prompt and leaked data, out of all the exfiltration tests we ran.
• Agent Manipulation: The agent rewrote its own policies to install malicious extensions, effectively disabling its own guardrails.
• Multimodal & Cross‑Context Attacks: Hidden instructions in audio files or calendar invites pushed the agent to execute shell commands or manipulate shopping carts.‍
• Mass Phishing Automation: With one prompt, the agent generated hundreds of tailored phishing payloads, becoming an adversary’s content factory

What shocked us most wasn’t just that these attacks worked in theory.

It was that the agent acted autonomously crossing contexts, following chained prompts, and performing real‑world actions like file fetching, API calls, and price changes often without any human confirmation.

This isn’t traditional prompt injection anymore.

It’s the next evolution: attackers exploiting the agent’s ability to act, pivot, and escalate on its own.

Detail Attack Scenario: Zero‑Click Exfiltration (Silent Data Leaks)

To showcase a representative finding and validate the universal reproducibility of agentic attacks, we reconstructed select real-world exploit paths within our in‑house AI agent lab. By replicating attack scenarios observed across customer environments, we were able to study them in a controlled setting and document their mechanics. Below is one such detailed technical scenario, demonstrating an end‑to‑end exploitation of an internal HR agent.

Agent Tested

HR Agent that answers employee questions by securely tapping into six integrated tool suites—Google Drive search, web search, HR APIs, finance APIs, a PDF reader, and a sensitive employee database—each governed by strict role-based access controls. Employees can see only their own PTO, expenses, and documents; managers get read-only views of their teams; HR staff hold comprehensive HR access; finance staff manage pay and expenses; and admins retain full visibility. This layered Role-Based Access Control (RBAC) model lets the agent automate everyday HR tasks—checking leave balances, filing expenses, retrieving policies—while ensuring no data is exposed beyond a user’s entitlement, blending convenience with enterprise-grade security.

Agent Architecture

In practice: How the zero‑click exfiltration worked

Step 1: Attacker Campaign Establishment

The attacker launched a new Phishing campaign, where he has created a web site aligned with his agent's deceptive strategy, seen in Figure 1.

Step 2: Prompt Payload Planting

Then the attacker shares a document to a victim’s email, if the victim opens it, as long as he does not delete it, it will reside in her Google Drive, anything wrong with that? At this point, the attacker waits patiently for a trigger point.

Step 3: Agent Trigger Event

On a daily basis, an employee (the victim) asks his agent to please search his Google Drive for any Linux Hardening document and validate if it works as expected. The agent goes ahead and finds the malicious document in the drive, seen in Figure 2 and Figure 3.

Step 4: Agent Manipulation

The agent falls into the trap to execute some "preliminary steps” before starting the hardening process, related to finding an SSH key in the victim's Google Drive, seen in Figure 4 and Figure 5.

NOTE: As the smart reader already noticed, an attacker could ask the agent to search for any other types of sensitive information.

Step 4: Data Exfiltration via External Site

Once the SSH key is found, due to “compliance reason” per the Hardening guide, the data must be sent to an external site. The agent executes this step without asking for permission from the end user. Finally after this task is done, the agent asks if he can proceed with the hardening steps, unfortunately, it is too late, the data has been stolen, seen in Figure 6.

How Straiker Defend Shows Root Cause Analysis

Our runtime guardrail system, Defend, flagged the agent’s unexpected behavior. Straiker’s platform traced the full attack chain, showing the exact tool output.

How This Compares to EchoLeak

Earlier this year, EchoLeak showed how a single crafted email could make Copilot summarize and leak inbox data.  

Our findings go further:

• Multi-turn follow-ups let attackers keep exfiltrating
• Agent can pivot to other tools: Google Drive, calendars, external APIs
• Data goes outside the organization (e.g., attacker’s webhook)

At root, excessive agency turned a one-off summary leak into a full-scale, persistent data breach.

What It Looks Like in Practice

In our product:

• Every attack shows up as a forensic prompt trace: you see the hidden injection, the agent’s reasoning, and the tool calls it makes.
• Security teams get a chain-of-events view: from attacker payload → agent tool call → data exfiltration.

Incidents become traceable and explainable, not just “AI did something weird".

Why This Matters for Security Teams & CISOs

• These attacks bypass classic controls: no user click, no malicious attachment, no credential theft.
• AI agents act autonomously where they do what you ask, and sometimes what attackers ask too.
• OWASP and NIST cover prompt injection & overprivilege, but these multi-modal, cross-context and runtime-modification threats remain largely unmodeled.

Recommendations & Best Practices

Prompt & Input Hygiene‍

- Filter, escape, and sandbox untrusted content, even if it looks harmless

Least Privilege for Agents

- Restrict tool scopes and API permissions

Runtime Guardrails

- Block dangerous actions (e.g., shell commands, policy changes)

Forensic Traceability

- Keep logs of prompt chains, tool use, and external calls

Continuous Red-Teaming

- Regularly test agents against new real-world scenarios

Conclusion

AI agents bring huge productivity gains, but also new, silent attack surfaces.

What shocked us most wasn’t that prompt injection worked, but that:

• Agents could rewrite their own guardrails
• Stealth exfiltration needed zero user clicks
• Multimodal inputs (like audio) became viable attack vectors

The best defense? Treat AI agents like living infrastructure:

• Red-team them
• Log them
• Guard them at runtime

If you’d like to see what your AI agents could be tricked into doing — talk to us.  

Together, we can keep AI secure.