Threat Actors Can Exploit Default ServiceNow AI Assistants Configurations to Launch Prompt Injection

Du'aine Davis · 2025-11-20T10:47:13+00:00

Observed in the wild * On 19 November, AppOmni researchers identified that ServiceNow’s Now Assist AI agents can be exploited via second-order prompt injection attacks, enabling malicious tasks such as CRUD operations and email exfiltration. These attacks occurred earlier this year and bypassed ServiceNow’s built-in prompt…

Du'aine Davis

Observed in the wild

On 19 November, AppOmni researchers identified that ServiceNow’s Now Assist AI agents can be exploited via second-order prompt injection attacks, enabling malicious tasks such as CRUD operations and email exfiltration. These attacks occurred earlier this year and bypassed ServiceNow’s built-in prompt injection protections by leveraging insecure configurations like default team grouping and discoverable agents.
The attack chain relied on agent-to-agent discovery within Now Assist, where a benign agent was tricked into recruiting more powerful agents to execute harmful actions. Misconfigurations, such as autonomous execution, enabled overrides, and discovery-enabled LLMs, created an environment where low-privileged users could escalate privileges or exfiltrate sensitive data.
Organisations should enforce supervised execution for privileged tools, disable autonomous overrides, segment agents into task-specific teams, and continuously monitor for behavioural anomalies. For Microsoft Defender users, focus on identifying unusual inter-agent communications and privilege escalations as behavioural indicators of compromise.

Stop Prompt Injection Attacks in ServiceNow with AppOmni AgentGuard

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

Weaponised Calendar Invites Exploit Google Gemini via Indirect Prompt Injection
Observed in the wild

On 19 January, researchers idenified a vulnerability in Google Gemini’s integration with Google Calendar, where a malicious calendar invite could bypass privacy controls. When the victim later queried Gemini about their schedule, the model parsed the attacker‑crafted event and silently leaked private meeting data. The attack required no user interaction beyond receiving the invite and asking a routine question.
The attack used Indirect Prompt Injection: a natural‑language payload hidden in a calendar event description. When Gemini interpreted the event, it executed the embedded instructions, summarising private meetings, creating a new event, and writing exfiltrated data into it. The vector was purely semantic (no suspicious syntax), exploiting how LLMs interpret helpful‑looking language. Ethical security researchers demonstrated the exploit.
Recommended mitigations (with Microsoft Defender focus where relevant)Organisations should monitor for unexpected calendar‑event creation, anomalous LLM‑triggered API calls, and unusual cross‑user calendar access patterns. Defender for Cloud Apps and Microsoft Defender XDR can detect abnormal OAuth/API activity, suspicious automation patterns, and unauthorised data‑write operations.

Weaponizing Calendar Invites: How Prompt Injection Bypassed Google Gemini’s Controls

See what's trending

Click on a tag to discover all the published content related to it.