Existing LLM-driven email agents lack systematic security analysis. Method: This paper introduces Email Agent Hijacking (EAH), a novel attack model that remotely hijacks agent behavior by manipulating external email resources to compromise the agent’s prompt. To enable empirical evaluation, we develop EAHawk—a fully automated assessment framework covering 14 agent frameworks, 63 applications, 12 LLMs, and 20 email services. Contribution/Results: Evaluated on 1,404 real-world deployed instances, EAH achieved 100% success rate with an average of only 2.03 attempts (minimum 1.23), demonstrating its ubiquity and efficiency. This work establishes the first security research paradigm for email agents and provides both a rigorous benchmark and empirical foundation for designing robust defense mechanisms.

The increasing capabilities of LLMs have led to the rapid proliferation of LLM agent apps, where developers enhance LLMs with access to external resources to support complex task execution. Among these, LLM email agent apps represent one of the widely used categories, as email remains a critical communication medium for users. LLM email agents are capable of managing and responding to email using LLM-driven reasoning and autonomously executing user instructions via external email APIs (e.g., send email). However, despite their growing deployment and utility, the security mechanism of LLM email agent apps remains underexplored. Currently, there is no comprehensive study into the potential security risk within these agent apps and their broader implications. In this paper, we conduct the first in-depth and systematic security study of LLM email agents. We propose the Email Agent Hijacking (EAH) attack, which overrides the original prompts of the email agent via external email resources, allowing attackers to gain control of the email agent remotely and further perform specific attack scenarios without user awareness. To facilitate the large-scale evaluation, we propose EAHawk, a pipeline to evaluate the EAH attack of LLM email agent apps. By EAHawk, we performed an empirical study spanning 14 representative LLM agent frameworks, 63 agent apps, 12 LLMs, and 20 email services, which led to the generation of 1,404 real-world email agent instances for evaluation. Experimental results indicate that all 1,404 instances were successfully hijacked; on average, only 2.03 attack attempts are required to control an email agent instance. Even worse, for some LLMs, the average number of attempts needed to achieve full agent control drops to as few as 1.23.