Prompt Injection Is Becoming a File, Email and AI Agent Security Problem
Hidden prompts inside PDFs, emails, pull requests, webpages and shared documents are becoming a serious security problem for AI systems connected to files, inboxes, calendars and business tools.
For a long time, “prompt injection” sounded like a clever way to make chatbots ignore their rules. In 2025 and early 2026, the story changed. The most important cases are no longer only about making a model say something inappropriate. They are about poisoned documents, hidden email instructions, calendar invites, pull requests, web pages and business forms that AI agents read as trusted context.
The core problem is structural: LLMs process instructions and data in the same natural-language stream. The UK National Cyber Security Centre warns that current LLMs do not enforce a real security boundary between instructions and data, while OWASP notes that prompt injections do not need to be visible to humans as long as the model parses them.
The shift: from direct prompt injection to indirect prompt injection
Direct prompt injection is the familiar version: a user types something like “ignore previous instructions.” Indirect prompt injection is more dangerous because the attacker does not talk to the AI directly. Instead, they hide instructions inside something the AI later reads: a document, email, webpage, calendar event, pull request, form submission or shared file.
OWASP defines indirect prompt injection as the case where an LLM accepts input from external sources such as websites or files, and that external content alters the model’s behavior. The possible outcomes include sensitive information disclosure, unauthorized access to functions, content manipulation, execution of commands in connected systems, and manipulation of critical decisions.
This is why the newest prompt-injection incidents matter. They are not just “model safety” problems. They are application security problems. Once an AI system has access to Gmail, Google Drive, SharePoint, GitHub, CRM records, browser tools, local files or code execution, a hidden instruction can become a path to data exfiltration or unauthorized actions.
EchoLeak: Microsoft 365 Copilot and zero-click data exfiltration
One of the most important 2025 cases was EchoLeak, tracked as CVE-2025-32711. Researchers described it as a zero-click prompt-injection vulnerability in Microsoft 365 Copilot that could exfiltrate sensitive data from the user’s Copilot context without user interaction. The attack path involved an attacker sending an innocuous-looking email; later, when the user asked Copilot a business question, Copilot’s retrieval system mixed the attacker-controlled email with sensitive organizational context. The Hacker News covered the disclosure.
The reason EchoLeak mattered was not just the payload. It was the setting. Microsoft 365 Copilot operates inside a rich enterprise context: Outlook, documents, files, meetings and organizational knowledge. If an attacker can inject instructions into a piece of content that Copilot later retrieves, the model can become a “confused deputy”: it acts with the victim’s access, but under the attacker’s influence.
Cato Networks emphasized how hard these inputs can be to classify, because the malicious email can contain wording that looks like normal instructions for a human recipient rather than obvious malicious code.
AgentFlayer: a poisoned Google Drive document against ChatGPT Connectors
The clearest file-based example is AgentFlayer, disclosed in 2025 by researchers Michael Bargury and Tamir Ishay Sharbat. Wired reported that a single poisoned document shared into a victim’s Google Drive could exploit ChatGPT Connectors through indirect prompt injection and extract data without user interaction.
The striking part is the delivery mechanism: the malicious instructions were hidden in a document in a way a human was unlikely to notice, such as white, tiny text. From the user’s perspective, the document could look ordinary. From the AI system’s perspective, the instruction was still part of the readable context.
The proof of concept showed how an AI assistant connected to external data sources can be manipulated into searching for secrets and leaking them through an output channel.
Zenity Labs later published technical details of the attack chain.
ShadowLeak: hidden email prompts and server-side exfiltration
In September 2025, Radware disclosed ShadowLeak, a zero-click attack against ChatGPT’s Deep Research agent when connected to Gmail and browsing.
According to Radware, a crafted email could cause the agent to leak sensitive inbox data to an attacker with no user action and no visible UI. The researchers described the exfiltration as service-side, meaning the data left through OpenAI’s cloud infrastructure rather than through a visible browser request on the user’s machine.
The hidden-in-content aspect is important. Radware said the prompt injection could be hidden in email HTML using tiny fonts, white-on-white text and layout tricks.
Malwarebytes later reported that OpenAI had patched the vulnerability and summarized the same key issue: the target would not see the hidden prompt, but the agent could still read and obey it.
ZombieAgent: persistent connector risk
Radware later published ZombieAgent, describing follow-on ChatGPT connector vulnerabilities where hidden or near-hidden prompt injection combined with broad connector access could amplify real-world impact.
The report states the key issue plainly: the email or document appears benign to the user, but the full hidden prompt is visible to ChatGPT and processed like an instruction.
This is not a single isolated bug class. It is a recurring architecture problem: AI agents are increasingly connected to data sources, and untrusted content inside those sources can become operational instruction.
Academic papers: hidden prompts to influence AI-assisted peer review
The most public “hidden document prompt” story came from academia.
In July 2025, The Guardian reported that academics were hiding prompts in preprint papers to influence AI-assisted peer review.
One example contained hidden white text instructing LLM reviewers to ignore previous instructions and give a positive review only.
Nature reportedly found multiple papers containing similar hidden messages.
A later research paper on prompt injection attacks against LLM-generated scientific reviews described the technique as embedding white text on a white background or using tiny font sizes in LaTeX/PDF sources, invisible to human readers but still parsed from the PDF source by LLMs.
The paper reported that simple prompt injections can be highly effective in generated review settings, reaching up to 100% acceptance scores in some tested conditions.
This is not the same as a data breach, but it is real-world manipulation. The target is not a password or API key; the target is a decision-making process.
Google Gemini and poisoned calendar invites
Another major 2025 case was “Invitation Is All You Need,” a research project against Gemini-powered assistants.
SafeBreach researchers showed that an attacker could send a Google Calendar invite containing indirect prompt injection and then, when the victim asked Gemini about their calendar, cause Gemini to use connected tools in unintended ways.
Their demonstrations included:
- spam
- phishing
- deleting calendar events
- geolocation
- email exfiltration
- Zoom video streaming
- smart-home actions
Wired reported the physical-world angle: researchers demonstrated poisoned calendar invites that could lead Gemini to control smart-home devices such as lights, shutters and a boiler after the user asked about upcoming calendar events.
Google later introduced fixes and stronger confirmation flows for sensitive actions.
CamoLeak: hidden pull-request comments and GitHub Copilot Chat
In October 2025, Legit Security disclosed CamoLeak, a critical GitHub Copilot Chat vulnerability.
The researcher embedded prompt-injection instructions inside GitHub pull request descriptions, including through invisible Markdown comments that do not render in the normal web interface.
Copilot ingested the raw context and could be influenced by the hidden content.
Legit reported that the vulnerability allowed silent exfiltration of secrets and source code from private repositories and gave the attacker influence over Copilot’s responses.
GitHub patched the issue by disabling image rendering in Copilot Chat.
Web-based prompt injection observed in the wild
In March 2026, Palo Alto Networks Unit 42 published research on web-based indirect prompt injection observed in the wild.
Their telemetry found malicious websites embedding hidden or manipulated instructions inside web content later consumed by LLMs.
One reported example targeted an AI-based product ad review system. A scam page included hidden prompt instructions designed to make an AI reviewer approve content it would otherwise reject.
Unit 42 said it was not aware of confirmed successful exploitation against a deployed ad-checking agent, but the finding still matters: attackers are already placing prompt-injection payloads into the open web, anticipating that AI systems will crawl, summarize or review them.
ForcedLeak: Salesforce Agentforce and CRM data exposure
Salesforce Agentforce was also affected by prompt-injection research.
Noma Labs disclosed ForcedLeak, a critical vulnerability chain in Salesforce Agentforce that could allow external attackers to exfiltrate sensitive CRM data via indirect prompt injection.
The researchers said the attack used a whitelisted domain that cost $5, and Salesforce released patches after notification.
The most important point is that the input channel was ordinary business data. An attacker could submit malicious data containing concealed instructions, and those instructions could later be executed when employees interacted with the data through AI agents.
ShareLeak and PipeLeak: form fields as attack surfaces
In April 2026, CSO Online and VentureBeat reported on ShareLeak and PipeLeak, two form-based prompt-injection findings affecting Microsoft Copilot Studio and Salesforce Agentforce respectively.
In the Microsoft case, a crafted payload inserted into a standard SharePoint form field could later be ingested by a Copilot Studio agent as part of its operational context.
NVD lists CVE-2026-21520 as an exposure of sensitive information to an unauthorized actor in Copilot Studio.
VentureBeat reported that Capsule Security found the Copilot Studio vulnerability in November 2025, Microsoft confirmed it in December, and it was patched in January 2026.
These cases make the “file hidden layer” issue broader: the dangerous content may not be in a file at all. It may be in a comment box, lead form, support ticket, CRM note or SharePoint field.
The latest frontier: prompt injection becomes code execution
The most recent and severe trend is prompt injection crossing into code execution.
In May 2026, Microsoft published research showing how vulnerabilities in AI agent frameworks could turn prompt injection into host-level remote code execution.
In one Semantic Kernel case study, Microsoft said a single prompt was enough to launch `calc.exe` on the device running the agent, with no browser exploit, malicious attachment or memory-corruption bug.
The agent simply interpreted language, selected a tool and passed parameters into code.
Microsoft’s conclusion is stark: once an AI model is wired to tools, prompt injection is no longer only a content-safety problem. It becomes an execution risk.
A similar trend appeared in Google’s Antigravity agentic IDE.
In April 2026, Pillar Security disclosed a vulnerability where prompt injection could exploit insufficient input sanitization in a file-search tool parameter, converting a search operation into arbitrary code execution and bypassing Antigravity’s Secure Mode.
What counts as “real impact”?
The public record is nuanced.
There are confirmed real-world malicious experiments and observations, such as:
- hidden prompts in academic papers;
- web-based indirect prompt injection;
- poisoned connector documents;
- malicious calendar invites;
- hidden Markdown comments in pull requests.
There are also production-system vulnerabilities with serious impact potential, such as:
- EchoLeak
- CamoLeak
- ForcedLeak
- ShareLeak
- AgentFlayer
Many of these were responsibly disclosed and patched before known mass exploitation.
So far, the strongest evidence is not “Company X lost millions because of a hidden prompt in a PDF.” The stronger evidence is that major vendors:
- assigned CVEs;
- shipped patches;
- changed rendering behavior;
- added confirmations;
- restricted tool access;
- published defensive guidance.
That is enough to treat prompt injection as a real application-security issue.
Why hidden documents and files are especially dangerous
Files are dangerous because users trust what they see.
A PDF appears clean.
A Word document looks final.
A spreadsheet opens on one visible tab.
A pull request description looks normal.
A calendar invite seems harmless.
But the AI may receive a different representation:
- white text on white background;
- tiny font text;
- hidden Markdown comments;
- HTML comments;
- metadata fields;
- annotations;
- hidden spreadsheet tabs;
- speaker notes;
- form fields;
- OCR text;
- raw document source;
- invisible Unicode;
- embedded links.
OWASP explicitly notes that prompt injections can affect a model even when imperceptible to humans, as long as the model parses the content.
If the AI can read it, the hidden layer matters.
What defenders should do now
The most consistent guidance across these cases is not “write a better system prompt.”
The Australian Cyber Security Centre, CISA, NSA, Canada’s Cyber Centre, New Zealand’s NCSC and the UK NCSC published joint guidance warning that agentic AI systems inherit LLM vulnerabilities, including prompt injection through malicious content in phishing emails and external data sources.
The practical recommendations are consistent:
- Treat external content as untrusted.
- Separate instructions from data wherever possible.
- Inspect files before AI upload.
- Strip or quarantine hidden layers such as comments, metadata, speaker notes and annotations.
- Limit connector permissions.
- Require human confirmation for sensitive actions.
- Monitor tool calls and outbound requests.
- Disable unnecessary rendering channels where possible.
- Apply least privilege to agents and connectors.
- Log and review agent actions as security events.
The bottom line
Prompt injection has matured from a chatbot trick into a security problem for connected AI systems.
The most important attacks now happen through ordinary content:
- emails
- documents
- pull requests
- calendar invites
- web pages
- forms
- business records
The attacker’s goal is not always to break the model directly. It is to place instructions where the model will later read them with someone else’s permissions.
The new attack surface is whatever your AI agent is allowed to read.
And the practical lesson is equally simple:
Before an AI system reads a file, email, webpage or business record, assume that content may contain instructions written for the machine, not for the human.