Agent-based AI systems are facing an increasing wave of sophisticated cyberattacks, particularly zero-click and one-click exploit chains capable of compromising some of the most widely used enterprise AI platforms. These attacks exploit vulnerabilities in platforms like ChatGPT, Copilot Studio, Cursor with Jira MCP, Salesforce Einstein, Google Gemini, and Microsoft Copilot.
The hallmark of these exploits is the use of indirect prompts hidden in seemingly harmless resources, which can trigger malicious actions with minimal or no user interaction. This method, known as prompt injection, has long been a challenge for large language model systems, and the growing adoption of AI agents is magnifying the risk.
One notable case involves Salesforce Einstein, where attackers can insert specially crafted CRM records that appear legitimate. When a sales representative requests routine information, the AI agent processes hidden instructions, leading to unauthorized actions. In a demonstration, customer email addresses were replaced with attacker-controlled domains, silently redirecting communications while concealing the changes through encoded aliases.
Another zero-click exploit targets the developer tool Cursor when integrated with Jira. A seemingly innocuous Jira ticket can trigger code execution on the victim’s system, enabling theft of sensitive data such as API keys and stored credentials—without any interaction from the user.
Researchers have also showcased attacks on AI agents connected to cloud services. For instance, an invisible prompt hidden in a shared document could manipulate an AI assistant to search for and exfiltrate sensitive information like API keys from linked services such as Gmail or Microsoft 365. Even simple user queries, like summarizing a meeting, could inadvertently trigger the malicious instructions.
The persistence of these vulnerabilities highlights the shortcomings of current AI security measures. Many platforms rely on “soft boundaries” such as adjusted training data, statistical filters, or system instructions—barriers that can be bypassed by creative prompt manipulation. More secure “hard boundaries,” involving strict technical limitations like URL validation or content blocking, offer stronger protection but often reduce functionality.
These incidents underline the urgent need for robust, technical safeguards in AI systems. With agent-based AI becoming a staple in enterprise operations, the stakes are high. The risk is not limited to data leaks; potential consequences include unauthorized financial transactions, control over connected devices, and large-scale exploitation of integrated enterprise tools. Strengthening defenses against zero-click and one-click exploits is critical to ensuring AI remains a safe and trusted technology in business environments.
