Agentic AI Phishing: Perplexity's Comet Bypassed in Under 4 Minutes

Just caught the Guardio research on Perplexity's Comet AI browser, and it’s a stark reminder of the risks we face with agentic AI. The researchers managed to trick the AI into a phishing scam in less than four minutes by exploiting its reasoning capabilities. Essentially, they used indirect prompt injection to make the AI lower its own guardrails and execute the attack.

This isn't just a script kiddie XSS; this is the AI "thinking" it's doing the right thing while walking right into a trap. For us on the defensive side, this complicates the trust model significantly. We aren't just validating user input anymore; we have to worry about the "autonomous" decisions made by an agent acting on behalf of the user.

Detection is going to be tricky because the traffic looks legitimate. I've started looking into KQL queries to flag anomalies associated with AI user-agents performing rapid, multi-step actions.

DeviceProcessEvents
| where ProcessVersionInfoProductName contains "Perplexity" or ProcessVersionInfoCompanyName contains "Perplexity"
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "brave.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| where ProcessCommandLine contains "download" or ProcessCommandLine contains "submit-form"
| summarize count() by bin(Timestamp, 5m), DeviceName
| where count_ > 10 // Threshold for rapid automated actions

Has anyone else started incorporating AI-agents into their incident response playbooks, or are we treating them as Shadow IT for now?