The special feature of this attack is that it occurs entirely within OpenAI's own cloud infrastructure, leaving no trace and able to bypass local security protections such as firewalls. Researchers compare this type of attack agent to 'an insider manipulated by external parties'.
It is understood that the attack began with a carefully disguised email with a seemingly ordinary subject, but the email body embedded malicious instructions using hidden HTML (such as white text on a white background or small fonts). These instructions will trick agents in the 'deep research' mode to perform the following operation: extract personal data from another email of the user. Alternatively, these data can be encoded using Base64 and sent to an external URL controlled by the attacker.
In order to bypass the built-in security measures of the agent, attackers use social engineering techniques to make the agent "believe" that it has the authority to perform the task, and create a sense of urgency by citing reasons such as "incomplete report". When the user initiates a 'deep research' query (such as' analyze my HR email today '), the agent will unknowingly process the malicious email and execute hidden instructions to silently transmit data to the attacker's server, with the entire process completely transparent to the user.
Radware pointed out that the vulnerability does not originate from the language model itself, but from the ability of the proxy execution tool. Among them, an internal feature called browser. open() allows proxies to initiate HTTP requests, becoming the breakthrough point of this attack.
Researchers warn that this attack method is not limited to email, and any platform that processes structured text through proxies, such as Google Drive, Outlook, Teams, Notion, or GitHub, may be at risk. Malicious instructions can be hidden in meeting invitations, shared PDF files, or chat records, turning routine AI tasks into potential security vulnerabilities.
This incident once again highlights the vulnerability of AI agent systems. The core issue lies in 'Prompt Injection', where attackers embed hidden instructions into text that the user is unaware of. Although this vulnerability has existed for many years, a reliable solution has yet to be found. Some research shows that almost every AI agent may be invaded, especially those agents that can access the Internet, and are easily manipulated to cause data leakage, malware download and other problems. OpenAI CEO Sam Altman has also warned against entrusting high-risk or sensitive tasks to AI agents.