Bliki: Agentic Email
As a tech enthusiast, I’ve been following the recent trend of people setting up Large Language Model (LLM) agents to work on their email and other communications. The prospect of having an intelligent, agentic assistant to manage my inbox is incredibly appealing, especially given the current state of communication tools like Slack, Discord, and chat servers.
However, there’s a significant concern surrounding this trend. Direct access to an email account exposes users to the Lethal Trifecta: untrusted content, sensitive information, and external communication. This trifecta poses a substantial security risk, particularly for senior and powerful individuals who may be setting up agentic email systems.
The worry compounds when considering password-reset workflows that often go through email. It’s easy to imagine an attacker intercepting the process and taking over an account. The risks associated with agentic email are real, and it’s essential to acknowledge them before proceeding.
Mitigating the Risks
One potential solution to mitigate these risks is to isolate the LLM agent from external communication while maintaining read-only access to emails. This approach would prevent the agent from accessing sensitive information or initiating external interactions, reducing the attack surface to just two elements of the Lethal Trifecta: untrusted content and sensitive information.
By drafting email responses and other actions in a text file for human review, we can introduce an additional layer of security. This approach would ensure that instructions cannot be hidden in HTML, making it more difficult for attackers to exploit the system.
The Cost of Safety
This solution comes at a cost: reduced capability compared to full agentic email systems. While this may be an acceptable trade-off to reduce the risk of security breaches, it’s essential to weigh the benefits against the limitations.
It’s also worth noting that just because there haven’t been any major security incidents related to agentic email yet, doesn’t mean they won’t happen in the future. We may be living in a false sense of security if we don’t take proactive measures to mitigate these risks.
Responsibility and Awareness
Anyone who decides to utilize agentic email systems needs to do so with full understanding of the risks involved. This includes acknowledging that they will bear some responsibility for the consequences of such a system.
By being aware of these risks and taking steps to mitigate them, we can reduce the attack surface and ensure a safer experience for users. The trend of agentic email is fascinating, but it’s crucial to approach this technology with caution and a critical eye.
Further Reading
For those interested in learning more about this topic, I recommend checking out previous discussions on the subject. Simon Willison wrote extensively on this problem back in 2023, coining the term “The Lethal Trifecta.” Jim Gumbley, Effy Elden, Lily Ryan, Rebecca Parsons, David Zotter, and Max Kanat-Alexander also offered comments on drafts of this post.
William Peltomäki’s experience with creating an exploit highlights the potential risks associated with agentic email systems. It’s essential to be informed and take a proactive approach to mitigating these risks.