The Coming Wave of Multimodal Attacks: When AI Tools Become the New Exploit Surface

As large language models (LLMs) evolve into multimodaaliset järjestelmät that can handle text, images, voice and code, they’re also becoming powerful orchestrators of external tools and connectors. With this evolution comes an expanded attack surface that organizations need to be cognizant of.

A prime example of this is social engineering, which agents can fall victim to because they were trained to act like humans do and they have even less skepticism. An agent, for instance, is unlikely to be able to determine the difference between a spoofed email versus one from a legitimate retailer.

The convergence of multimodality and tool access transforms AI from assistant into a medium for attack.  Attackers can now use simple text prompts to trigger tool misuse, execute unauthorized actions or exfiltrate sensitive data through legitimate channels. Because these capabilities are designed for accessibility, not defense, even low-skill adversaries can leverage AI systems to perform complex operations without writing a single line of code.

How multimodal AI becomes an exploit chain

LLMs are increasingly becoming orchestrators of external systems, with integrations today now including everything from APIs to email, cloud storage and code execution tools. These connectors are often built for accessibility, not defense.

The downside of this is that it can lead to a wave of new exploits.

One is prompt-driven tool misuse. For example, an attacker could use an image with prompt injection instructions inserted into an email. An optinen merkintunnistus (OCR) tool is needed to extract the text from an image. The agent is instructed to reply to the email and attach a Google map to the home address of the target, thus de-anonymizing the victim’s location.

Another mechanism is cross-modal guardrail evasion. This relates to guardrails that sit between the entry and exit points of tools. For instance, analyzing the output of an OCR extractor, there might not be a strong enough guardrail around prompt injections discovered from its output.

There are also structural weaknesses that can be exploited. One such issue is the loose, overly permissive bindings between the model and the external tools it can call—meaning a simple natural-language prompt can trigger real actions like running code, accessing files, or interacting with email. On top of that, many of these systems lack strict access controls, so the AI may have the ability to write, delete, or modify data far beyond what a human would ever authorize. The problem grows even more serious when you look at connectors and MCP-style extensions, which often come with almost no guardrails; once attached, they expand the AI’s reach into personal storage, inboxes, and cloud platforms with very little oversight. Together, these structural weaknesses create an environment where classic security issues—exfiltration, sandbox escapes, and even memory poisoning—can be triggered through nothing more than a cleverly crafted prompt.

Emerging threats: What comes next?

In this new normal, AI-enabled email and social engineering attacks are imminent. Phishing volume will increase due to the use of LLMs by the attacker; the choke point is bypassing normal spam filters from email providers such as Google. Inbox-connected AI agents increase the probability of phishing attacks succeeding. There will likely be a rise in email-based threats as users connect agents to Gmail or Outlook.

Attackers can direct the AI to run entire spam or spear-phishing campaigns. In this scenario,

AI-to-AI phishing becomes plausible.

Multimodal systems increasingly offer code execution capabilities. Escape paths allow attackers to breach the underlying infrastructure. And sandbox escapes represent the biggest reputational nightmare for vendors.

Long-term memory poisoning and deferred triggers represent further threats. Persistent memory allows hidden payloads to activate on future prompts. Cross-modal triggers (e.g., images or text snippets) could set off time-bomb behaviors.

Why multimodal attacks are so accessible and so dangerous

AI has democratized attack capabilities. Users no longer need coding or malware-development skills; natural language becomes the interface for malware creation or data exfiltration. This means that even non-technical individuals can generate malware or run campaigns via prompts.

AI also enable the acceleration and scale of harmful operations. Multimodal agents can automate work that once required expert effort. Code, emails, research and reconnaissance can be produced instantly.

User over-trust and unintentional exposure contribute to AI’s harm potential. Users often do not understand what the AI can access, and default settings increasingly auto-enable AI integrations. Many people don’t realize they’ve granted the AI excessive access to email or documents.

Principles and controls for multimodal security

Organizations must put security measures against multimodal attacks in place. Security teams will need to restrict tool access by default. Opt-in controls should replace auto-enabled integrations. They should also apply least-privilege access to all AI-connected systems and remove write/delete access. This should include cross-origin rules and domain whitelisting (infrastructure whitelisting and not LLM-level whitelisting).

Another key step is to build explicit guardrails for tool invocation. Replace natural-language triggers with structured, typed command validation. Guardrails should be both input and output chokepoints.

Additional important principles and controls include:

• Enforce strong approval workflows for sensitive operations.
• Avoid putting user data in persistent model memory. Apply automated memory sanitization and provenance checks.
• Harden and isolate code execution environments.
• Monitor for suspicious behaviors and escape attempts.
• Strengthen user education and transparency.
• Add more user confirmation when the agent is performing risky tasks.
• Make it clear when AI tools are accessing emails, files or cloud resources.
• Warn users about high-risk connectors.

Succeeding against multimodal attacks

AI technologies have quickly morphed into agents of business operations, creating a situation in which natural language itself becomes a form of exploit. The convergence of multimodality and tool access opens up the attack surface, turning AI from an assistant into a medium for attacks. Multimodal attacks exploit the loose integration between LLMs and the external systems they control, such as APIs, file storage and automation platforms.

As threats evolve, organizations must adopt strategies that explicitly account for multimodal attack paths. Strengthening defenses using the best practices above is essential to prevent AI tools from unintentionally serving as links in an attacker’s exploit chain.