EchoLeak: indirect prompt injection through email metadata

EchoLeak is the working name for a class of indirect prompt injection where attacker-controlled email metadata (subject lines, From headers, reply-to fields) is read by an AI agent and treated as instruction.

The agent did nothing wrong. It performed the summarisation it was asked to perform. The vulnerability is that the system accepted instructions from a field that was never authenticated for that purpose.

What enforcement would have stopped it

A runtime gate on the tool call (read inbox → summarise → send to slack) that requires the source-of-instruction to match the user's authenticated session. NukonAI™ Veto Protocol classifies this as a TOOLCALL.PROVENANCE violation - the data being acted on did not originate from the principal authorised to act.

Framework mapping

OWASP LLM01 (Prompt Injection) and LLM03 (Training Data Poisoning - in the broader sense of "untrusted input becomes instruction"). NIST AI RMF GOVERN-1.4 (boundaries on agentic action) and MEASURE-2.6 (tracking input provenance).

The full clause-by-clause map ships in our compliance pack.