PromptRiskDBThreat intelligence atlas

AI Agent Tools - AI Security Technique

AI Security Technique

Adversaries may prompt the AI service to invoke various tools the agent has access to. Tools may retrieve data from different APIs or services in an organization.

Overview

A source-backed snapshot of this AI security technique.

Tactics0Attacker goals connected to this method.
Mitigations5Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0085.001
Maturity
demonstrated
Priority score
65

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses5 ATLAS mitigation records
  • Public examples3 linked case study records
  • Research risks0 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0028 - AI Agent Tools Permissions Configuration

Configuring AI Agent tools with access controls that are inherited from the user or the AI Agent invoking the tool can limit adversary's access to sensitive data.

LifecycleDeploymentCategoryTechnical - Cyber
Deployment

AML.M0024 - AI Telemetry Logging

Log requests to AI services to detect malicious queries for data.

LifecycleDeployment + 1 moreCategoryTechnical - Cyber
DeploymentMonitoring

AML.M0032 - Segmentation of AI Agent Components

Segmentation can prevent adversaries from utilizing tools in an agentic workflow to collect sensitive data.

LifecycleDeployment + 1 moreCategoryTechnical - Cyber
DeploymentB&D Understanding

Showing 4 of 5

Case studies

Examples from public reports and exercises.

Living Off AI: Prompt Injection via Jira Service Management

Researchers from Cato Networks demonstrated how adversaries can exploit AI-powered systems embedded in enterprise workflows to execute malicious actions with elevated privileges. This is achieved by crafting malicious inputs from external users such as support tickets that are later processed by internal users or automated systems using AI agents. These AI agents, operating with internal context and trust, may interpret and execute the malicious instructions, leading to unauthorized actions such as data exfiltration, privilege escalation, or system manipulation.

Date2025-06-19
exercise

Data Exfiltration via Agent Tools in Copilot Studio

Researchers from Zenity demonstrated how an organization’s data can be exfiltrated via prompt injections that target an AI-powered customer service agent.

The target system is a customer service agent built by Zenity in Copilot Studio. It is modeled after an agent built by McKinsey to streamline its customer service needs. The AI agent listens to a customer service email inbox where customers send their engagement requests. Upon receiving a request, the agent looks at the customer’s previous engagements, understands who the best consultant for the case is, and proceeds to send an email to the respective consultant regarding the request, including all of the relevant context the consultant will need to properly engage with the customer.

The Zenity researchers begin by performing targeting to identify an email inbox that is managed by an AI agent. Then they use prompt injections to discover details about the AI agent, such as its knowledge sources and tools. Once they understand the AI agent’s capabilities, the researchers are able to craft a prompt that retrieves private customer data from the organization’s RAG database and CRM, and exfiltrate it via the AI agent’s email tool.

Vendor Response: Microsoft quickly acknowledged and fixed the issue. The prompts used by the Zenity researchers in this exercise no longer work, however other prompts may still be effective.

Date2025-06-01
exercise

Planting Instructions for Delayed Automatic AI Agent Tool Invocation

Embrace the Red demonstrated that Google Gemini is susceptible to automated tool invocation by delaying the execution to the next conversation turn. This bypasses a security control that restricts Gemini from invoking tools that can access sensitive user information in the same conversation turn that untrusted data enters context.

Date2024-02-01
exercise

Source evidence

Original public records and references for this page.