AI Enterprise Compromise: 0-Click Exploit Methods
Black Hat USA 2025 · Day 1 · Briefings
Zenity CTO Michael Bargury and co-presenter Tamir demonstrate zero-click prompt injection attacks against enterprise AI agents across Microsoft Copilot Studio, Salesforce Agentforce (Einstein), Cursor with Jira MCP, and ChatGPT — showing that in every case, an attacker who can place malicious content where an agent will encounter it can hijack the agent's tool calls, exfiltrate data, and persist malicious instructions across future sessions, all without any user interaction. The core advance over last year's one-click attacks is the exploitation of agent tools: where previous attacks required a user to actively engage with a malicious file or email, zero-click attacks weaponize content that agents read autonomously as part of their normal workflow. ---
AI review
Bargury closes the loop from last year's one-click attacks by eliminating the user from the equation entirely. Four enterprise platforms, four working exploits, ChatGPT memory implanted through a timing window in the bio tool's deactivation logic. The CRM man-in-the-middle via a web form submission is genuinely disturbing.