Safeguard
AI Security

Agent hijacking: the real-world impact of prompt injection

From a zero-click Microsoft 365 Copilot breach to poisoned MCP servers, AI agent hijacking is now a real, documented software supply chain threat.

Safeguard Research Team
Research
Updated 7 min read

On June 11, 2025, Aim Security disclosed CVE-2025-32711, a critical zero-click flaw in Microsoft 365 Copilot — nicknamed "EchoLeak" — that let a single email hijack the agent's next reasoning step and quietly exfiltrate a user's data. No click, no attachment, no warning dialog. Eight months earlier, researchers at PromptArmor showed the same trick worked against Slack AI: a message dropped into a public channel could redirect the assistant into leaking secrets from private ones. These aren't jailbreaks in the "trick the chatbot into saying something rude" sense. This is agent hijacking — prompt injection with real-world consequences: attackers hiding natural-language instructions inside content an AI agent is told to read, then riding that trust straight into its tools, permissions, and next actions. As AI agents get write access to code, databases, and CI/CD pipelines, this is quickly becoming a software supply chain attack surface, not a chatbot curiosity.

What is AI agent hijacking, exactly?

AI agent hijacking is when an attacker plants natural-language instructions inside content an AI agent processes — an email, a PDF, a webpage, a GitHub issue, a Slack message — so the agent carries out the attacker's commands instead of, or alongside, the user's. Security researcher Simon Willison coined the term "prompt injection" for this class of attack back in September 2022, and OWASP has ranked it LLM01, the number-one risk to LLM applications, in both its 2023 and 2025 Top 10 for LLM Applications. The distinction that matters for hijacking is direct versus indirect injection: direct injection is a user typing a malicious prompt into a chatbot, which mostly just embarrasses the model. Indirect injection is content-borne — the malicious instructions arrive through a document, webpage, or API response the agent was already going to read as part of its job. Once an agent can call tools — send email, run code, open a pull request, query a database — indirect injection stops being a content-moderation problem and starts being the functional equivalent of remote code execution: whoever controls the text the agent reads controls what the agent does next.

How did a single email turn into a zero-click breach in Microsoft 365 Copilot?

It happened because Copilot auto-processed untrusted email content with the same trust it gave the user's own request, and CVE-2025-32711 is the proof. Aim Security reported the flaw to Microsoft in January 2025; Microsoft patched it server-side before the public disclosure in June, and it carries a CVSS score of 9.3. The attack needed zero clicks: an attacker sent a specially crafted email, written to look like normal business content, that Copilot's RAG pipeline pulled into context when a user later asked the assistant an unrelated question. Embedded instructions in the email body bypassed Microsoft's XPIA (cross-prompt injection attack) classifier by phrasing the payload as if it were addressed to a person rather than a model — an "LLM scope violation." From there, the injected instructions abused markdown image auto-rendering and Microsoft Teams/SharePoint reference links to smuggle sensitive data the agent had access to out to an attacker-controlled server, all without the victim taking a single action. Because Copilot was rolled out across hundreds of millions of Microsoft 365 seats, the disclosure became one of the first proof points that agent hijacking has enterprise-wide blast radius, not just lab-demo novelty.

Can a poisoned dependency hijack the AI coding agent sitting in your IDE?

Yes, and Pillar Security demonstrated exactly that in March 2025 with a technique called "Rules File Backdoor." AI coding assistants like Cursor and GitHub Copilot read shared configuration files — .cursorrules, .github/copilot-instructions.md — as trusted project context to steer how they generate code. Pillar's researchers showed that attackers can hide instructions inside those files using invisible Unicode: zero-width joiners, bidirectional control characters, and homoglyphs that render as blank space or nothing at all in a code editor or a GitHub diff view. A developer who pulls a popular boilerplate repo, a shared team template, or even a compromised open-source starter kit inherits a rules file that looks empty or innocuous on screen but instructs the agent to insert subtly broken input validation, embed a backdoor, or quietly exfiltrate environment variables in the code it writes next — all while sailing through a human code review, because the human reviewer never sees the payload. This turns a routine dependency or template pull into a supply chain compromise that lives inside the AI agent's instructions rather than inside a package's code.

Are malicious MCP servers a realistic hijacking vector or just a theoretical one?

They're already a demonstrated vector, not a theoretical one. In April 2025, Invariant Labs disclosed "tool poisoning attacks," showing that a Model Context Protocol (MCP) server can embed hidden instructions inside a tool's description metadata — text the user never sees but that the model reads as authoritative when deciding how to call that tool. The following month, Invariant Labs went further and disclosed a "toxic agent flow" in the official GitHub MCP server: an attacker files a public GitHub issue containing hidden instructions, and if the same agent session also holds credentials for the victim's private repositories — a common setup for developers using one agent across multiple repos — the agent can be steered into reading private repository contents and leaking them through a pull request back to the public repo. No GitHub account compromise, no stolen token, no CVE required on GitHub's side: just an agent extending ambient trust across a tool boundary it shouldn't have crossed. As of 2025, MCP adoption spread fast enough that Anthropic, OpenAI, and Microsoft all shipped MCP support within months of each other, and every one of those integrations inherits this same class of risk by default.

Why don't SAST, SCA, or WAF tools catch agent hijacking?

They don't catch it because those tools scan static artifacts for known-bad patterns, and agent hijacking is a runtime, semantic attack carried out in plain English sentences that match no signature. Consider CVE-2024-5565, disclosed responsibly by JFrog in June 2024 with a CVSS score of 8.8: the Vanna.AI text-to-SQL library let a user's natural-language question reach an LLM that generated Python visualization code, which the library then executed via exec(). A prompt-injected question could make the model generate malicious Python instead of a chart, resulting in full remote code execution on the host. A SAST scanner reviewing Vanna's source sees a legitimate call to a plotting library; an SCA scanner sees a known package at a known version; a WAF sees an HTTP request with no SQL-injection signature, XSS payload, or oversized parameter. None of them are built to ask "what tools can this specific agent invoke, with what credentials, and what happens if the text it's about to read tells it to use them differently?" That question requires mapping agent tool permissions and data flows the same way you'd map reachability for a vulnerable function — not scanning for strings.

How Safeguard Helps

Safeguard treats AI agents, MCP servers, and the coding assistants your teams already use as first-class parts of the software supply chain, not blind spots outside it. Our reachability analysis maps which tools, secrets, and repositories each agent session can actually touch, so a hijacked prompt in one context can't silently reach a private repo or production credential three hops away. Griffin AI continuously reviews agent configurations, MCP tool descriptions, and generated code for the injection patterns behind incidents like EchoLeak and Rules File Backdoor, flagging hidden Unicode payloads and scope violations before they ship. SBOM generation and ingest give you a real inventory of which AI coding tools, extensions, and MCP integrations are running across your codebase, and auto-fix PRs remediate the exposure — tightening tool permissions, stripping invisible characters, pinning agent configs — without waiting on a manual triage cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.