"Shadow Escape": New Zero-Click Attack Steals Data from ChatGPT, Claude, and Gemini

"Shadow Escape" Zero-Click Attack Exploits AI Agents like ChatGPT to Silently Exfiltrate Data

HIGH
October 29, 2025
5m read
CyberattackCloud SecurityData Breach

Related Entities

Organizations

OperantOpenAI AnthropicGoogle NIST

Products & Tech

ChatGPTClaudeGeminiModel Context Protocol (MCP)

MITRE ATT&CK Techniques

T1566Initial Access

Phishing

T1567Exfiltration

Exfiltration Over Web Service

T1071.001Command and Control

Application Layer Protocol: Web Protocols

T1199Initial Access

Trusted Relationship

Full Report

Executive Summary

Cybersecurity firm Operant has disclosed a new, highly evasive attack technique named "Shadow Escape" that targets the burgeoning ecosystem of interconnected AI agents. This zero-click attack exploits the Model Context Protocol (MCP), a foundational component for agent-to-agent communication, to silently exfiltrate sensitive data. Popular AI agents including OpenAI's ChatGPT, Anthropic's Claude, and Google's Gemini are all potentially vulnerable. The attack requires no user interaction and can bypass conventional security measures, creating a new and significant risk vector for any organization integrating these powerful AI tools into their workflows. Massive, undetected breaches may already be underway.

Threat Overview

The "Shadow Escape" attack is a novel technique that turns a core feature of agentic AI against itself. The attack works as follows:

  1. A threat actor crafts a document (e.g., a PDF, Word document) containing hidden, malicious instructions.
  2. This document is made available for download from a seemingly legitimate public source, such as an employee onboarding portal.
  3. An unsuspecting user, or an automated process, uploads this document to an AI agent for summarization, analysis, or other processing.
  4. When the AI agent processes the document, it also ingests and executes the hidden instructions.
  5. These instructions command the agent to access and exfiltrate sensitive data it has access to (e.g., PII, financial records, medical information) through its connected systems via the Model Context Protocol (MCP).

Because the attack is initiated by a trusted AI agent's internal processes, it is not detected by traditional firewalls, EDR, or data loss prevention (DLP) tools. The lack of any required user click or interaction makes it exceptionally dangerous.

Technical Analysis

The core of the vulnerability lies in the Model Context Protocol (MCP). MCP is designed to allow different AI models and agents to share context and work together. However, this interconnectivity, combined with broad default permissions, creates a large, exploitable attack surface. The "Shadow Escape" attack essentially performs prompt injection via a file, but the malicious action is carried out by the AI agent itself, which is often a trusted entity on the network.

  • Attack Vector: Malicious instruction hidden within a benign-looking file.
  • Vulnerable Component: Any AI agent or system connected via the Model Context Protocol (MCP).
  • Impact: Silent, undetected exfiltration of any data the AI agent has permissions to access.

According to Donna Dodson, former chief of cybersecurity at NIST, securing MCP and agent identities is a critical, yet overlooked, aspect of AI security, especially in high-stakes industries.

Impact Assessment

The potential impact of "Shadow Escape" is massive. As enterprises increasingly integrate AI agents into business-critical workflows and grant them access to sensitive databases and internal applications, these agents become high-value targets. A single compromised document could lead to:

  • Large-scale breaches of personally identifiable information (PII), including Social Security numbers and medical records.
  • Theft of intellectual property, trade secrets, and financial data.
  • Compliance violations under regulations like GDPR and HIPAA.
  • Complete loss of trust in enterprise AI systems.

Operant AI estimates that trillions of records could be at risk due to widespread default permissions granted to AI agents.

Detection & Response

Detecting "Shadow Escape" is challenging with traditional tools. New approaches are required:

  • AI Tool Monitoring: Implement real-time monitoring of all inputs and outputs of AI agents. Analyze the behavior of agents to detect anomalous activity, such as accessing sensitive data repositories after processing an external document.
  • Permission Auditing: Regularly audit the permissions granted to all AI agents. Enforce the principle of least privilege to ensure agents can only access the specific data required for their tasks.
  • Contextual Identity and Access Management (CIAM): Deploy CIAM solutions that can understand the context of an AI agent's request and block unauthorized actions, even if the agent itself is compromised.

Mitigation

  • Document Sanitization: Before uploading any external document to an AI agent, use a sanitization tool to strip out any hidden instructions, macros, or scripts. Treat all external files as untrusted.
  • Inline Data Redaction: Use tools that automatically redact sensitive data before it is sent to or processed by an AI agent, preventing the agent from ever having access to it.
  • Principle of Least Privilege: Drastically limit the data and systems that AI agents can access. Do not grant broad, default permissions. Each integration should be carefully scoped.
  • User Education: Train employees on the risks of uploading external documents to AI platforms and establish clear policies for safe AI usage.

Timeline of Events

1
October 29, 2025
This article was published

MITRE ATT&CK Mitigations

Application Isolation and Sandboxing

M1048enterprise

Running AI agents in a sandboxed environment with strict controls over what data and network resources they can access can contain the impact of an attack.

Restrict Web-Based Content

M1021enterprise

Sanitizing and analyzing all documents and web-based content before they are ingested by AI agents can strip out malicious instructions.

Privileged Account Management

M1026enterprise

Applying the principle of least privilege to the service accounts used by AI agents ensures they cannot access data beyond their explicit function.

User Training

M1017enterprise

Educating users about the risks of uploading untrusted documents to any system, including AI platforms.

D3FEND Defensive Countermeasures

Dynamic Analysis

D3-DAMaps to MITREM1048
D3FEND

To counter the 'Shadow Escape' attack, organizations should implement dynamic analysis (sandboxing) for all documents before they are passed to an AI agent. This involves opening the document in an isolated, instrumented environment to observe its behavior. For this specific threat, the sandbox should be configured to detect and flag any embedded instructions, scripts, or API calls that could be interpreted by an AI model. This pre-processing step acts as a filter, ensuring that only sanitized, safe content reaches the AI agent, effectively neutralizing the initial vector of the attack. This is particularly crucial for documents sourced from the internet or other untrusted external parties.

User Account Permissions

D3-UAPMaps to MITREM1018
D3FEND

The core of mitigating the impact of a compromised AI agent is to strictly enforce the principle of least privilege on its service account. The account used by ChatGPT, Gemini, or Claude should have the bare minimum permissions required to perform its designated task. For example, if an agent is meant to summarize documents, it should not have read access to the entire company database or file shares. Access should be governed by a 'deny-by-default' policy, with explicit, narrowly-scoped permissions granted on a case-by-case basis. Regularly auditing these permissions is critical to prevent 'privilege creep' and ensure that even if an agent is tricked by 'Shadow Escape,' the blast radius of data exfiltration is severely limited.

Web Session Activity Analysis

D3-WSAAMaps to MITREM1040
D3FEND

Security teams must extend their monitoring to include the activity of AI agents themselves. By implementing Web Session Activity Analysis or a similar User and Entity Behavior Analytics (UEBA) solution, teams can baseline the normal behavior of their AI agents. The system can then detect and alert on anomalous activity, such as an agent that normally only processes text suddenly attempting to access a sensitive customer database or making an outbound connection to an unknown API endpoint after processing a specific document. This behavioral detection is key to identifying a compromised agent when traditional signature-based tools fail.

Sources & References

First Zero Click Attack Exploits MCP and Connected Popular AI Agents To Exfiltrate Data Silently - Cyber Security News
Cyber Security News (cybersecuritynews.com) October 28, 2025
(Placeholder)
Example (example.com) October 28, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AI SecurityZero-ClickChatGPTGeminiClaudeMCPData BreachPrompt Injection

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next