AI email agents vulnerable to prompt injection attacks

Prompt injection via email is one of the most underappreciated attack surfaces in agentic AI — and most developers building email automation right now are shipping it vulnerable by default.

• –Instruction override exploits the AI's inability to distinguish developer-supplied system prompts from attacker-controlled user content
• –Data exfiltration attacks leverage the agent's helpfulness to extract system instructions, conversation history, or API keys when asked politely
• –Token smuggling with invisible Unicode characters defeats keyword-based filters entirely — a security team can visually audit the email and see nothing
• –The most dangerous scenario: an agent with outbound email or forwarding capabilities, where a single injected instruction becomes an ongoing silent data leak
• –Mitigations require architectural changes (input sanitization, privilege separation, output validation) — prompt-level "don't do bad things" guardrails are insufficient