◀︎ // Home
Section 04 // Productivity Agents
The Enterprise's Quiet Failure Mode
Bottom line for leadership
Coding agents are the highest-risk AI you run. In testing, 36% of successful attacks reached remote code execution on the developer's machine, the same machine that holds your source code and cloud keys.
Do this: sandbox coding agents and disable auto-execution of agent-generated commands before you expand rollout.
Productivity agents read inboxes, summarize calendars, browse the web, and reach across SaaS connectors to act on your behalf. Every one shares a structural property: they process untrusted external content as a core function. Where coding agents fail loudly, productivity agents fail silently.
91%
of successful attacks end in silent exfiltration
91% of successful productivity-agent attacks end in silent data exfiltration, with no jailbreak, no phishing link, and no malware. The agent reads attacker-crafted content the same way it reads anything else, and acts on it.
The number looks like a typo. It reflects three structural properties that converge to make silent exfiltration the default outcome...

Access by design
OAuth scopes give the agent broad standing read access across the SaaS estate. An attacker who hijacks its intent inherits all of it.
Egress by design
Agents send email, share documents, and post messages. Every legitimate action is also an outbound channel.
No instruction discrimination
The LAVA mechanism: a user instruction and an attacker-embedded one look identical to the model.
Three ways the exfiltration shows up
Data exfiltration
In one engagement, infrastructure secrets left through a PDF-library exploit: the agent parsed a crafted document and credentials in its context were carried out. The agent did nothing a user would flag.
Credential harvesting
OAuth tokens and API keys stolen through tool misuse. A hijacked agent surfaces the very tokens that authorize its access, handing the attacker standing entry to the SaaS estate.
Excessive autonomy
An agent asked to summarize an inbox proceeds to send, share, or delete, because nothing required it to stop and ask. The missing approval gate is the vulnerability.
Browser agents distribute the damage
Browsing-history leak
An indirect injection on a visited page harvests the user's full session history, mapping everywhere they have been and everything they have open.
Drive wipe via email
The Zero-Click Drive Wiper against Perplexity Comet: one benign-looking email made the browser agent wipe a Google Drive, with no jailbreak and no user click.
Session hijacking
OAuth tokens stolen through a cross-site browsing context let an attacker ride the authenticated session the user already established.
The systemic insight
Productivity agents are exfiltration tools by default. The only question for any enterprise is whether they exfiltrate to legitimate destinations, or to attackers as well.
The connected-app cascade
Most enterprises approve a productivity agent's permissions once at install and forget them. A bundle granted to "summarize my inbox" typically includes full mailbox access.
// 01
Single agent compromise
An attacker-crafted email lands in the inbox; the agent reads it during a summarization run.
Why it works: The agent treats inbox content as instruction-eligible.
// 02
Connected-app reach
The injected instructions apply across every app the agent can touch: Drive, Calendar, Slack, GitHub.
Why it works: Permissions were granted in a single bundle at install.
// 03
Data movement
Docs copied out via Drive sharing; internal information posted to an attacker's Slack channel; calendar used for recon.
Why it works: Each is a legitimate action the agent is authorized to perform.
// 04
Persistence
Mailbox rules created, recurring events scheduled, automated workflows configured.
Why it works: Productivity agents have access to the configuration surfaces that enable persistence.
What defenders need to do
Break Step 1
Compromise
Treat every inbound email, invite, and shared file as untrusted, instruction-eligible content, including internal content from unfamiliar senders.
Break Step 2
Connected-app reach
Narrow what the agent can touch. Grant only the access the task needs; revoke unused permissions on a quarterly cadence.
Break Steps 3+4
Movement & persistence
Require human approval for irreversible actions: external email, document sharing, mailbox rules, connector-setting changes.
The cross-cutting control
Runtime monitoring of the agent's context. The model cannot tell a legitimate instruction from a poisoned one, so the runtime layer has to. It watches what the agent reads against what it does, and flags the moment the two stop aligning with the user's intent.
Common Questions
Why do productivity agents leak data silently?
91% of successful attacks on productivity agents end in silent data exfiltration — no malware, no phishing click, no SOC alert. They hold OAuth read access across SaaS by design, every legitimate action is also an outbound channel, and the model cannot tell a user instruction from an attacker-embedded one.
What is the connected-app cascade?
When one productivity agent is compromised, the injected instructions apply across every app it can touch — Drive, Calendar, Slack, GitHub — because permissions were granted in a single bundle at install. One poisoned email becomes data movement and persistence across the entire SaaS estate.
How do you secure productivity agents and browser agents?
Minimize OAuth connector scopes to the task, revoke unused permissions on a quarterly cadence, treat every inbound email and shared file as untrusted, and require human approval for irreversible actions like external sharing or mailbox rules. Runtime monitoring of context against action is the decisive control.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






