Proofpoint, one of the world’s largest email security firms, has identified a new class of threats called AI-agent phishing. Instead of tricking people, attackers are now embedding malicious instructions directly inside emails, hidden from human view but readable by AI systems like Microsoft Copilot, Google Gemini, or any enterprise agent that processes email automatically. When we use agentic systems to act on our email (summarizing, scheduling, or drafting), they may unknowingly execute those hidden prompts sending confidential data, approving a fraudulent request, or even creating a backdoor for more attacks.
Proofpoint’s systems scan billions of messages each day, and they are already filtering these prompt-injection exploits before they reach inboxes. Security researchers at Red Canary and TechRadar report similar patterns across AI-powered tools, from Copilot Studio to custom-built business agents. In short, the same technology that helps employees save time is creating new attack vectors that are almost impossible to quantify.
These systems read, write, and act with minimal oversight. Traditional security frameworks that are focused on user behavior and credentials weren’t designed for agents that think and act autonomously.
This is not a reason to panic, but it is a reason to plan. Governance, agent permissions, and human-in-the-loop safeguards have to be adapted to the new threat. The future of productivity is agentic, but so is the future of cybersecurity.
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it. This work was created with the assistance of various generative AI models.