CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

ShadowLeak Attack: Undetectable Email Theft via AI Agents

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A new attack technique called ShadowLeak exploits AI agents integrated with email services, allowing attackers to invisibly steal email contents and other sensitive data. The attack leverages hidden code in emails to manipulate AI agents into exfiltrating data to attacker-controlled servers. The vulnerability was discovered by Radware in spring 2025 and addressed by OpenAI in August 2025. The ShadowLeak attack targets users who connect AI agents like ChatGPT to their email inboxes. By embedding hidden code in emails, attackers can trick the AI into performing malicious actions, such as sending email contents to an external server, without leaving any trace on the user's network. This makes the attack difficult to detect and mitigate. The attack was demonstrated on Gmail and ChatGPT but is likely applicable to other email services and AI agents. OpenAI has acknowledged and fixed the issue, but the exact details of the fix are unclear. Security experts suggest that a layered approach, including input sanitization and AI-driven detection, may be necessary to fully address such threats. The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them. The attack leaks data directly from OpenAI's cloud infrastructure, making it invisible to local or enterprise defenses. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint, effectively broadening the attack surface.

Timeline

  1. 19.09.2025 22:07 πŸ“° 2 articles Β· ⏱ 1d ago

    ShadowLeak Attack: Undetectable Email Theft via AI Agents Discovered

    In spring 2025, Radware discovered a new attack technique called ShadowLeak that exploits AI agents integrated with email services to invisibly steal email contents and other sensitive data. The attack leverages hidden code in emails to manipulate AI agents into exfiltrating data to attacker-controlled servers. OpenAI addressed the vulnerability in August 2025, but the exact details of the fix are unclear. Security experts suggest that a layered approach, including input sanitization and AI-driven detection, may be necessary to fully address such threats. The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them. The attack leaks data directly from OpenAI's cloud infrastructure, making it invisible to local or enterprise defenses. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint, effectively broadening the attack surface.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

Open in new tab

Active exploitation of type confusion in Chrome's V8 engine

Google has patched a zero-day vulnerability in Chrome (CVE-2025-10585), a type confusion issue in the V8 JavaScript and WebAssembly engine. The flaw is actively exploited in the wild, posing a risk to millions of users. The patch is available in Chrome versions 140.0.7339.185/.186 for Windows and macOS, and 140.0.7339.185 for Linux. Users of other Chromium-based browsers should also apply the fixes. The vulnerability can lead to unexpected software behavior, arbitrary code execution, and program crashes. Google's Threat Analysis Group (TAG) discovered and reported the flaw on September 16, 2025. This is the sixth zero-day vulnerability in Chrome exploited or demonstrated in 2025.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses

A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.

Open in new tab

Lies-in-the-Loop Attack Exploits AI Coding Agents

A new attack vector, dubbed 'lies-in-the-loop' (LITL), targets AI coding agents by manipulating them to execute dangerous commands. The attack exploits the trust between human users and AI agents, convincing users to approve harmful actions. Researchers from Checkmarx Zero demonstrated the attack on Anthropic's Claude Code, showing how it can be used to execute arbitrary commands and potentially compromise the software supply chain. The LITL attack leverages prompt injection to trick AI agents into providing fake, seemingly safe contexts. This manipulation can lead users to unknowingly approve harmful actions, highlighting the risks associated with AI-assisted coding tools. The attack was successfully tested on developers, demonstrating its effectiveness in real-world scenarios.

Open in new tab