ResearchTrend.AI
5
0

Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents

Jiangrong Wu
Yuhong Nan
Jianliang Wu
Zitong Yao
Zibin Zheng
ArXiv (abs)PDFHTML
Main:12 Pages
11 Figures
Bibliography:4 Pages
7 Tables
Appendix:3 Pages
Abstract

The increasing capabilities of LLMs have led to the rapid proliferation of LLM agent apps, where developers enhance LLMs with access to external resources to support complex task execution. Among these, LLM email agent apps represent one of the widely used categories, as email remains a critical communication medium for users. LLM email agents are capable of managing and responding to email using LLM-driven reasoning and autonomously executing user instructions via external email APIs (e.g., send email). However, despite their growing deployment and utility, the security mechanism of LLM email agent apps remains underexplored. Currently, there is no comprehensive study into the potential security risk within these agent apps and their broader implications.In this paper, we conduct the first in-depth and systematic security study of LLM email agents. We propose the Email Agent Hijacking (EAH) attack, which overrides the original prompts of the email agent via external email resources, allowing attackers to gain control of the email agent remotely and further perform specific attack scenarios without user awareness.To facilitate the large-scale evaluation, we propose EAHawk, a pipeline to evaluate the EAH attack of LLM email agent apps. By EAHawk, we performed an empirical study spanning 14 representative LLM agent frameworks, 63 agent apps, 12 LLMs, and 20 email services, which led to the generation of 1,404 real-world email agent instances for evaluation. Experimental results indicate that all 1,404 instances were successfully hijacked; on average, only 2.03 attack attempts are required to control an email agent instance. Even worse, for some LLMs, the average number of attempts needed to achieve full agent control drops to as few as 1.23.

View on arXiv
@article{wu2025_2507.02699,
  title={ Control at Stake: Evaluating the Security Landscape of LLM-Driven Email Agents },
  author={ Jiangrong Wu and Yuhong Nan and Jianliang Wu and Zitong Yao and Zibin Zheng },
  journal={arXiv preprint arXiv:2507.02699},
  year={ 2025 }
}
Comments on this paper