Saved in:
Bibliographic Details
Main Authors: Wu, Jiangrong, Nan, Yuhong, Wu, Jianliang, Yao, Zitong, Zheng, Zibin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2507.02699
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916824441946112
author Wu, Jiangrong
Nan, Yuhong
Wu, Jianliang
Yao, Zitong
Zheng, Zibin
author_facet Wu, Jiangrong
Nan, Yuhong
Wu, Jianliang
Yao, Zitong
Zheng, Zibin
contents The increasing capabilities of LLMs have led to the rapid proliferation of LLM agent apps, where developers enhance LLMs with access to external resources to support complex task execution. Among these, LLM email agent apps represent one of the widely used categories, as email remains a critical communication medium for users. LLM email agents are capable of managing and responding to email using LLM-driven reasoning and autonomously executing user instructions via external email APIs (e.g., send email). However, despite their growing deployment and utility, the security mechanism of LLM email agent apps remains underexplored. Currently, there is no comprehensive study into the potential security risk within these agent apps and their broader implications. In this paper, we conduct the first in-depth and systematic security study of LLM email agents. We propose the Email Agent Hijacking (EAH) attack, which overrides the original prompts of the email agent via external email resources, allowing attackers to gain control of the email agent remotely and further perform specific attack scenarios without user awareness. To facilitate the large-scale evaluation, we propose EAHawk, a pipeline to evaluate the EAH attack of LLM email agent apps. By EAHawk, we performed an empirical study spanning 14 representative LLM agent frameworks, 63 agent apps, 12 LLMs, and 20 email services, which led to the generation of 1,404 real-world email agent instances for evaluation. Experimental results indicate that all 1,404 instances were successfully hijacked; on average, only 2.03 attack attempts are required to control an email agent instance. Even worse, for some LLMs, the average number of attempts needed to achieve full agent control drops to as few as 1.23.
format Preprint
id arxiv_https___arxiv_org_abs_2507_02699
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents
Wu, Jiangrong
Nan, Yuhong
Wu, Jianliang
Yao, Zitong
Zheng, Zibin
Cryptography and Security
The increasing capabilities of LLMs have led to the rapid proliferation of LLM agent apps, where developers enhance LLMs with access to external resources to support complex task execution. Among these, LLM email agent apps represent one of the widely used categories, as email remains a critical communication medium for users. LLM email agents are capable of managing and responding to email using LLM-driven reasoning and autonomously executing user instructions via external email APIs (e.g., send email). However, despite their growing deployment and utility, the security mechanism of LLM email agent apps remains underexplored. Currently, there is no comprehensive study into the potential security risk within these agent apps and their broader implications. In this paper, we conduct the first in-depth and systematic security study of LLM email agents. We propose the Email Agent Hijacking (EAH) attack, which overrides the original prompts of the email agent via external email resources, allowing attackers to gain control of the email agent remotely and further perform specific attack scenarios without user awareness. To facilitate the large-scale evaluation, we propose EAHawk, a pipeline to evaluate the EAH attack of LLM email agent apps. By EAHawk, we performed an empirical study spanning 14 representative LLM agent frameworks, 63 agent apps, 12 LLMs, and 20 email services, which led to the generation of 1,404 real-world email agent instances for evaluation. Experimental results indicate that all 1,404 instances were successfully hijacked; on average, only 2.03 attack attempts are required to control an email agent instance. Even worse, for some LLMs, the average number of attempts needed to achieve full agent control drops to as few as 1.23.
title Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents
topic Cryptography and Security
url https://arxiv.org/abs/2507.02699