◀︎ // Home

Section 04 // Productivity Agents

The Enterprise's Quiet Failure Mode

Bottom line for leadership

Coding agents are the highest-risk AI you run. In testing, 36% of successful attacks reached remote code execution on the developer's machine, the same machine that holds your source code and cloud keys.

Do this:
sandbox coding agents and disable auto-execution of agent-generated commands before you expand rollout.


Productivity agents read inboxes, summarize calendars, browse the web, and reach across SaaS connectors to act on your behalf. Every one shares a structural property: they process untrusted external content as a core function. Where coding agents fail loudly, productivity agents fail silently.

The productivity-agent landscape, by function.

CategoryWhat it doesRepresentative products
EmailReads the inbox, drafts replies.Microsoft 365 Copilot · Gemini for Workspace
CalendarSummarizes the day, schedules, takes notes.Microsoft 365 Copilot · Gemini for Workspace
WebBrowses and acts on your behalf.ChatGPT Atlas · Claude for Chrome · browser agents
CRMReaches into records and pipeline.Salesforce Agentforce
SaaS-embeddedShips inside the SaaS teams already use.Slack AI · Asana AI · + a long tail

91%

of successful attacks end in silent exfiltration

91% of successful productivity-agent attacks end in silent data exfiltration, with no jailbreak, no phishing link, and no malware. The agent reads attacker-crafted content the same way it reads anything else, and acts on it.

The number looks like a typo. It reflects three structural properties that converge to make silent exfiltration the default outcome...

Access by design

OAuth scopes give the agent broad standing read access across the SaaS estate. An attacker who hijacks its intent inherits all of it.

Egress by design

Agents send email, share documents, and post messages. Every legitimate action is also an outbound channel.

No instruction discrimination

The LAVA mechanism: a user instruction and an attacker-embedded one look identical to the model.

The connectors enterprises grant first and review least show up in nearly every successful chain. Shares reflect the specific connectors STAR Labs tested; the named alternatives share the same structural exposure. Click a column to sort.

Connector Share of successful attacks Role in attack chain
Email (Gmail, Outlook)68.8%Primary injection delivery and exfiltration channel
Shared drive (Google Drive, OneDrive)56.2%Data storage target for theft or destruction
Docs & spreadsheets (Google, Microsoft 365)14.1%Secondary data exposure via shared documents
GitHub7.8%Code and credential theft
Calendar (Google, Outlook)4.7%Reconnaissance, meeting injection
Team chat (Slack, Teams)3.1%Internal communications exfiltration

Three ways the exfiltration shows up

Data exfiltration

In one engagement, infrastructure secrets left through a PDF-library exploit: the agent parsed a crafted document and credentials in its context were carried out. The agent did nothing a user would flag.

Credential harvesting

OAuth tokens and API keys stolen through tool misuse. A hijacked agent surfaces the very tokens that authorize its access, handing the attacker standing entry to the SaaS estate.

Excessive autonomy

An agent asked to summarize an inbox proceeds to send, share, or delete, because nothing required it to stop and ask. The missing approval gate is the vulnerability.

Browser agents distribute the damage

Browser-agent attack outcome Share
Data exfiltration39%
Direct browser harm (wipes, transactions, deletions)37%
User data harvesting14.81%
Credential & session abuse7.41%
Arbitrary code execution1.85%

Browsing-history leak

An indirect injection on a visited page harvests the user's full session history, mapping everywhere they have been and everything they have open.

Drive wipe via email

The Zero-Click Drive Wiper against Perplexity Comet: one benign-looking email made the browser agent wipe a Google Drive, with no jailbreak and no user click.

Session hijacking

OAuth tokens stolen through a cross-site browsing context let an attacker ride the authenticated session the user already established.

The systemic insight

Productivity agents are exfiltration tools by default. The only question for any enterprise is whether they exfiltrate to legitimate destinations, or to attackers as well.

The connected-app cascade

Most enterprises approve a productivity agent's permissions once at install and forget them. A bundle granted to "summarize my inbox" typically includes full mailbox access.

// 01

Single agent compromise

An attacker-crafted email lands in the inbox; the agent reads it during a summarization run.

Why it works: The agent treats inbox content as instruction-eligible.

// 02

Connected-app reach

The injected instructions apply across every app the agent can touch: Drive, Calendar, Slack, GitHub.

Why it works: Permissions were granted in a single bundle at install.

// 03

Data movement

Docs copied out via Drive sharing; internal information posted to an attacker's Slack channel; calendar used for recon.

Why it works: Each is a legitimate action the agent is authorized to perform.

// 04

Persistence

Mailbox rules created, recurring events scheduled, automated workflows configured.

Why it works: Productivity agents have access to the configuration surfaces that enable persistence.

What defenders need to do

Break Step 1

Compromise

Treat every inbound email, invite, and shared file as untrusted, instruction-eligible content, including internal content from unfamiliar senders.

Break Step 2

Connected-app reach

Narrow what the agent can touch. Grant only the access the task needs; revoke unused permissions on a quarterly cadence.

Break Steps 3+4

Movement & persistence

Require human approval for irreversible actions: external email, document sharing, mailbox rules, connector-setting changes.

The cross-cutting control

Runtime monitoring of the agent's context. The model cannot tell a legitimate instruction from a poisoned one, so the runtime layer has to. It watches what the agent reads against what it does, and flags the moment the two stop aligning with the user's intent.

Common Questions

Why do productivity agents leak data silently?

91% of successful attacks on productivity agents end in silent data exfiltration — no malware, no phishing click, no SOC alert. They hold OAuth read access across SaaS by design, every legitimate action is also an outbound channel, and the model cannot tell a user instruction from an attacker-embedded one.

What is the connected-app cascade?

When one productivity agent is compromised, the injected instructions apply across every app it can touch — Drive, Calendar, Slack, GitHub — because permissions were granted in a single bundle at install. One poisoned email becomes data movement and persistence across the entire SaaS estate.

How do you secure productivity agents and browser agents?

Minimize OAuth connector scopes to the task, revoke unused permissions on a quarterly cadence, treat every inbound email and shared file as untrusted, and require human approval for irreversible actions like external sharing or mailbox rules. Runtime monitoring of context against action is the decisive control.

Get the Full Report

Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.