Research Notes

Zero-Click Agent Data Exfiltration in Connected Assistants

By Satwik ยท June 28, 2026

As assistants gained connectors to email, calendars, documents, and enterprise data, researchers demonstrated exfiltration chains that require no action from the victim beyond normal use. In 2025, work in this vein, including research branded under names such as EchoLeak against Microsoft 365 Copilot and a series of demonstrations by Johann Rehberger and others against various connected assistants, showed how a single crafted document or email could set the whole chain in motion.

The pattern combines several primitives from earlier notes. Untrusted content arrives through a connector and is retrieved into the model's context. An indirect prompt injection in that content directs the assistant to gather sensitive data from the user's other connected sources. The exfiltration then rides an automatic rendering or fetch behavior, such as an image load or a link preview, so the data leaves without the user clicking anything. The victim simply asks the assistant a routine question, or in the strongest cases the payload triggers on ingestion alone.

Why it matters: zero-click chains collapse the gap between a malicious input existing somewhere and data actually leaving. The user is not tricked into a mistake; the mistake is structural in how the agent trusts content and executes rendering. Broad connector permissions make the blast radius the union of everything the assistant can reach.

The defensive lesson is to break the chain at every link. Enforce least-privilege connector scopes, isolate untrusted retrieved content from instruction handling, strictly control automatic rendering and outbound fetches, and require confirmation for cross-source data movement. Vendors patched specific instances, but the class persists wherever connected agents auto-process untrusted input.