Exfiltration via AI Agent Tool Invocation
AI agent tools capable of performing write operations may be invoked to exfiltrate data to an adversary. Sensitive information can be encoded into the tool's input parameters and transmitted to an adversary controlled location (such as an inbox, document, or server) as part of a seemingly legitimate action. Variants in
- Framework
- MITRE ATLAS
- Maturity
- Realized
- Platforms
- Agentic AI
- Release
- 2026.05
Overview
AI agent tools capable of performing write operations may be invoked to exfiltrate data to an adversary. Sensitive information can be encoded into the tool's input parameters and transmitted to an adversary-controlled location (such as an inbox, document, or server) as part of a seemingly legitimate action. Variants include sending emails, creating or modifying documents, updating CRM records, or even generating media such as images or videos.
The invoked tool itself may be legitimate but invoked by an adversary via LLM Prompt Injection, or the tool may be malicious (See AI Agent Tool Poisoning.
AI Agent Tool Poisoning can also be used manipulate the inputs and destination of a separate legitimate tool, invoked through normal usage by the victim.