Researchers from cybersecurity firm DTEX have highlighted significant security risks associated with the integration of agentic AI tools into corporate environments. A new study details how Anthropic’s Claude Cowork, a platform designed for deploying AI agents, may inadvertently grant excessive system access, potentially leading to data breaches. The findings underscore growing concerns about how fast-developing AI tools can be misused by both external attackers and insiders.
The research, shared exclusively with CyberScoop, points to a specific tool within Claude Cowork called Dispatch. This tool allows users to remotely control AI agents from their personal devices and includes plugins for interacting with other business applications, such as Salesforce AI agents. This convenience, researchers warn, comes with what amounts to near-total system access for the deployed AI agent.
Potential for Insider Threats with Agentic AI Tools
DTEX researchers conducted tests to illustrate the potential for data exfiltration. One scenario involved prompting Claude to summarize information from one Salesforce instance and transfer it to a draft Outlook email. Another test tasked the agent with archiving selected files and moving them via the Cowork app.
These tests utilized simple, single-turn prompts and required minimal preparation time – between 10 to 30 minutes. This rapid execution capability is a growing concern for cybersecurity professionals. Alex Desmond, director of insider threat intelligence and innovation at DTEX, noted that advances in AI models and their deeper integration into IT operations are drastically reducing the time defenders have to detect and respond to threats.
“In cyberattacks, you talk about the kind of execution time of adversaries coming in and dropping ransomware, we’re now seeing the kill chain drop to 30 and 10 minutes depending on what they’re doing,” Desmond told CyberScoop. “Six months ago, that was a couple of hours.”
This speed, when combined with direct access to sensitive business networks and cloud services, creates a significant challenge for organizations. They must now monitor for both sophisticated external attacks and potential misuse or accidental leakage of data by legitimate employees leveraging these powerful AI tools.
North Korean State-Sponsored Threat Actors and AI Integration
The DTEX research also touches upon the sophisticated tactics employed by state-sponsored threat actors. In recent years, Western IT and cybersecurity firms have encountered numerous job applicants working covertly for the North Korean government. These individuals often use their positions to evade international sanctions and fund the nation’s nuclear program, while simultaneously providing opportunities to access or steal sensitive corporate data.
“You’ve got a nation-state actor getting into an environment legitimately,” Desmond explained. “Now if you gave them access to AI tools on top of that…you’re like ‘here’s the keys to everything and here’s this awesome tool that’s just going to make your job – stealing our data – easier.’”
DTEX’s testing confirmed that Claude Cowork agents, when deployed, had access to a wide range of sensitive corporate systems and data. This included the ability to download data from SharePoint and OneDrive, access Outlook emails, and retrieve information from Salesforce and any files present on the user’s endpoint device. Crucially, the research states that these findings do not stem from exploiting software bugs or configuration vulnerabilities, nor do they involve a reported CVE. Instead, the issue is characterized as a significant IT governance and visibility problem.
Many businesses are reportedly rushing to integrate AI tools and encourage employee adoption without implementing the necessary security controls, access policies, and monitoring mechanisms required to detect potential problems.
Challenges in Detecting AI-Driven Data Exfiltration
A key challenge identified is the difficulty in tracing data breaches or leakage involving AI agents. If an organization is not diligently logging and auditing its AI prompts, it may be impossible to determine whether an incident resulted from malicious instructions or an AI agent acting erratically. For example, while standard network and cloud monitoring can detect data access from platforms like SharePoint, these activities may not appear as anomalous to defenders if they are part of an employee’s typical workflow.
“If a user’s normal workflow is to pull sensitive files down to work locally all the time, you don’t have endpoint monitoring and you introduce an AI agent, it then just has access to all that data” along with the ability to exfiltrate it,” Desmond concluded.
Looking ahead, organizations will need to reassess their IT governance frameworks and invest in enhanced visibility tools to address the evolving risks posed by agentic AI. The effectiveness of upcoming security patches or revised vendor guidelines from AI providers will be crucial in mitigating these potential vulnerabilities.