Bad Actors Don’t Hack Your System Anymore. They Ask Your AI.

Laptop showing an ordinary business email with hidden commands embedded in the message, illustrating a zero-click AI attack

The next generation of malware doesn’t send a link. It hides a command inside an ordinary email and lets your AI carry it out.

Every cyberattack most businesses have heard of works the same way: someone clicks something they shouldn’t. A bad link leads to a fake login page, and the account is compromised. The next versions of AI attacks, or worms, don’t need any of that.

In 2024, researchers at Cornell Tech and the Technion Institute built the first worm designed to attack AI-powered tools. They called it the Morris II AI worm and tested it against email assistants that read your messages. A single poisoned email made each assistant read the inbox, steal confidential data, and forward the infected message to the next person automatically. It did all of that because the email told it to.

This isn’t theoretical anymore. Morris II stayed in the lab, but the real ones have arrived. In 2025, researchers disclosed a zero-click flaw in Microsoft 365 Copilot called EchoLeak and a similar one in ChatGPT’s research agent called ShadowLeak. Both pulled data out of an email with no click required. Each vendor patched the flaw before anyone was known to have used it in a live attack. The point is simple: this attack class now works against the AI tools businesses use every day, not just in a research demo.

How It Works

Your business probably uses AI tools, something that sorts your emails, answers customer questions, updates your customer records (CRM), or pulls together documents. Used well, they’re a real advantage, because they can read, write, and act on your behalf. The flip side: what you hand those tools doesn’t always stay private, and the same access that makes them useful is exactly what an attacker wants. And that’s what makes them a target.

Imagine an attacker slips a hidden instruction into an email or a customer message, something that looks completely normal. It could be text hidden in the same color as the background, or just an email with instructions buried inside. Your AI reads it and, without knowing any better, follows it. It packages the data it has access to, sends it off to the bad actor, then quietly passes the same hidden instruction along in the next email. Then the AI tool on the other end picks it up and does the same thing.

Each email plugin, scheduling assistant, chatbot, document tool, etc., is a potential entry point, and legacy antivirus won’t see it. Most businesses don’t have a clear picture of how many AI tools are running in their environment. Get a Free SC Network Solutions Risk Assessment today.

Why Antivirus Can’t See a Zero-Click AI Attack

Traditional antivirus scans files for known threat patterns. A zero-click AI attack doesn’t use a file. The payload is language. It looks like a normal email, a normal document, a normal chat message. There’s nothing for antivirus to flag.

Here’s the harder truth. The two real cases above ran inside the AI vendor’s own cloud. EchoLeak executed inside Microsoft 365 Copilot. ShadowLeak ran on OpenAI’s servers. No tool sitting on your computer or your network would have caught either one. The vendors fixed them after researchers reported them. You can’t patch someone else’s cloud, and neither can we. It’s the same bind as inheriting the damage when a vendor you rely on gets breached.

What you can control is the AI tools and agents that run on or connect to your own systems, and what they are allowed to reach. That is where behavioral endpoint detection earns its place: watching for an AI tool or account pulling data it normally never touches, or a spike in outbound activity, on the systems you own. SC Network Solutions runs this as part of our managed detection and response stack, backed by a 24/7 Security Operations Center where real people validate what the tools flag. It is one layer, not the whole answer.

There’s no single fix for AI attacks. There’s layered security.

No single tool stops this. Defending against zero-click AI attacks means layering endpoint detection, email threat protection, network monitoring, tight access controls, and human eyes watching the patterns automated tools flag. Each layer catches what the last one missed. That’s the foundation on which managed security is built.

Talk to an SC Network Solutions Expert

What to Do Now

  1. Know what’s running. Email plugins, chatbots, CRM automations, scheduling tools, and the access they have. That’s the first gap to close.
  2. Keep systems separated. A customer-facing chatbot shouldn’t have a path to your internal files. Separation isn’t just good practice. It’s what keeps one compromised tool from becoming a company-wide problem.
  3. Watch behavior, not just signatures. You need monitoring that looks at what your AI tools and accounts actually do, not just patterns from past attacks.
  4. Get a professional set of eyes on it. A risk assessment maps where your AI tools live, what they connect to, and where the gaps are. It’s the only way to build a defense that fits your actual environment, not a generic one.

Don’t let the first real-world incident be the discovery process. Get your FREE SC Network Solutions Risk Assessment today.