CybersecuritySocial Engineering

AI Agents Vulnerable to Phishing Attacks, Expose Sensitive Data

Analyst 207||Source: BleepingComputer
Laptop on office desk with smartphone and notepad, in front of blurred window background.

“We created an OpenClaw AI agent named Pinchy to test whether the agent would pass or fail versions of classic phishing simulations,” Varonis Threat Labs wrote — and the results were uneven: some assaults fooled the agent into spilling sensitive data, others were spotted and blocked.

How Varonis set up the OpenClaw email agent experiment

Researchers at Varonis built an OpenClaw agent and connected it to a Gmail inbox, browser tools, Google Workspace APIs, and fabricated internal company data sources to simulate real-world work flows. The synthetic enterprise dataset included AWS credentials, database credentials, CRM exports, internal communications, and Calendar invites — items the report explicitly describes as “highly sensitive data.”

The agent framework, which is open-source, enables large language models to interact with external systems and perform actions autonomously. Varonis tested Pinchy under two configuration profiles: a generic profile with standard productivity instructions, and a strict mode that added phishing awareness and identity verification procedures. The framework was exercised using two LLMs: Google Gemini 3.1 Pro and OpenAI GPT-5.4.

Four simulated phishing attacks and mixed outcomes

Varonis ran four classic phishing scenarios. The outcomes varied by attack method, configuration, and model:

  • Impersonation of a team lead: The agent — responding to an urgent request about a production issue — located and emailed AWS IAM keys, database credentials, and SSH access details to an external Gmail account. Both Generic and Strict profiles failed in this case because the verification step collapsed under apparent operational urgency, Varonis said.
  • Customer export request: Under the pretext of working remotely on a presentation, an attacker requested a CRM export. The agent retrieved and sent a CRM file containing customer records, contact information, contract details, and revenue data without verifying the sender’s identity.
  • Fake gift card link: A phishing email with a malicious link was handled differently by the two profiles. In the generic configuration the agent visited the phishing site and attempted to redeem the gift card using fabricated credentials before eventually identifying the page as malicious. The strict configuration blocked the attack immediately.
  • Malicious OAuth app: Researchers presented a Google OAuth flow disguised as a timesheet platform. The agent analyzed the destination, flagged the application as suspicious, and refused to grant it access.

Model behavior: Gemini 3.1 Pro versus GPT-5.4

Varonis noted model-level differences in posture. Gemini 3.1 Pro “showed greater willingness to interact,” while GPT-5.4 “had a more cautious posture.” Those differences helped explain some of the divergent results: willingness to engage with requests increased the chance of data disclosure, while caution reduced it. Still, the report emphasizes that even cautious models can be led astray when identity checks fail or contextual pressure is simulated.

Varonis’ operational recommendations and the remaining gaps

Based on the tests, Varonis concluded that AI agents can be effective at spotting suspicious URLs, identifying fake login pages, detecting malicious OAuth applications, and recognizing phishing indicators — but they often fail to verify sender identity or to apply “zero trust” principles to social interactions. The firm recommends several concrete controls for agents:

  • Explicitly require verification of sender identities before fulfilling sensitive requests.
  • Prevent agents from emailing new external recipients without human approval.
  • Limit agent access to internal data repositories.
  • Require human approval for high-risk actions such as credential sharing, financial data requests, and first-time communications.

Varonis also observed that strict configuration safeguards can collapse when a request appears operationally urgent: “Both Generic and Strict profiles failed because the verification step still collapsed when the request appeared operationally urgent,” the company said.

What this means for technologists, security teams, and procurement leaders

  • Technologists and security teams should treat AI agents as a new vector for social-engineering-style attacks: the experiment shows agents can be coaxed into exfiltrating credentials and CRM data when urgency is simulated and identity checks are insufficient.
  • Security operations and incident response teams must account for machine-authorized actions. The report cites a broader detection gap: “Security teams log 54% of successful attacks and alert on just 14%,” underscoring that many successful actions can move through environments unnoticed unless detection and approval workflows are adjusted for agent activity.
  • Procurement and platform owners should demand built-in governance controls: explicit human-in-the-loop requirements, restrictions on emailing new external contacts, and finer-grained data access controls for agents would address the principal failures Varonis demonstrated.

Varonis’ tests make a specific point: agents excel at technical pattern recognition — URLs, login pages, OAuth flows — but remain vulnerable where social trust and identity validation are required. The experiments with Pinchy show that guarding credentials and customer records will require operational changes as much as better models. Read the original Varonis report at BleepingComputer.

Artificial IntelligenceData BreachEmerging ThreatsAI AgentsPhishing AttacksSensitive Data ExposureOpenclawVaronisThreat SimulationMachine Learning Vulnerability
Related Intelligence

Continue Reading

Well-organized tech workspace with personnel working at computer workstations.

Microsoft Patch Tuesday Release Sets Record with 206 CVEs Addressed

Microsoft just dropped a record-breaking Patch Tuesday update, fixing a whopping 206 vulnerabilities across its products - including 38 critical ones. This massive release surpasses previous months and confirms a trend towards larger updates, raising both relief and concern among security experts.

Analyst 207
Federal officials gather around a conference table with screens displaying risk assessment data and charts.

CISA Overhauls Risk Prioritization Approach for Federal Agencies, Private Sector

CISA is shaking up its approach to risk prioritization, urging a smarter strategy for applying patches and tackling vulnerabilities. Acting director Nick Andersen emphasizes the need to focus on what matters most, rather than rushing to apply every patch as soon as it's released.

Analyst 207
Technology company's workspace with multiple workstations and screens, laptop screen blurred in foreground.

Microsoft Patch Tuesday Update Sets Record with 206 Vulnerabilities Fixed

Microsoft just dropped a record-breaking Patch Tuesday update, fixing a staggering 206 vulnerabilities in a single swoop - a move that's both impressive and concerning. This massive update is part of a larger trend, with nearly half of this year's patches containing triple-digit numbers of fixes.

Analyst 207
IT staff inspect equipment in a brightly-lit, modern enterprise data center.

SAP Patches Critical Flaws in NetWeaver and Commerce Cloud

SAP has patched 15 vulnerabilities, including four critical flaws in NetWeaver and Commerce Cloud, to safeguard its core application platform and e-commerce solutions from potential threats. These critical fixes aim to protect businesses from severe security breaches.

Analyst 207