Microsoft Discovers AutoJack Attack Allowing Remote Code Execution Through AI Browsing Agents

Microsoft researchers have detailed an exploit chain named AutoJack that allows a single malicious webpage to hijack an AI browsing agent and achieve remote code execution on the host machine. The attack requires no credentials, sign-in, or further user interaction once the agent loads the attacker's page.

The exploit chains together three minor vulnerabilities in Microsoft's AI agent framework, which Microsoft has since patched. Researchers warn that as enterprises deploy more autonomous agents, such attack surfaces will grow.

How AutoJack Works

An AI browsing agent visits a webpage it was asked to fetch. That page's JavaScript reaches a privileged local service on the same machine. The service then spawns a host process, giving the attacker code execution. The entire chain occurs without any visible prompt to the user.

• Three distinct vulnerabilities are chained: a cross-origin leak, a local service bypass, and a process-spawning flaw.
• Microsoft patched all three flaws before publication. Users should ensure agent frameworks are up to date.
• The attack requires the agent to browse an untrusted website, but many enterprise agents do exactly that for research or monitoring tasks.
• Researchers at Microsoft's Security Response Center discovered the chain during internal testing.

Broader Agent Identity and Governance Gaps

The AutoJack disclosure comes as security experts stress that most organizations fail to treat AI agents as distinct identities with limited permissions. A separate analysis by Token Security found that AI agents can access data, trigger workflows, deploy code, and interact with critical business systems, often with little oversight. Without proper identity and access management for agents, a compromised agent can move laterally inside a network.

Enterprise teams deploying autonomous agents have long complained that these systems run a short stretch before needing human supervision. The promised efficiency drains into constant oversight. AutoJack shows that even when agents run without humans, they can be co-opted by adversaries with a simple webpage.

What Comes Next

Microsoft recommends that organizations restrict the websites their agents can browse, apply the patches immediately, and enforce principle of least privilege on agent service accounts. The broader lesson is clearer: any autonomous system that touches the internet is a potential entry point. Security teams should audit their agent deployments for exposed local services and ensure agents cannot browse arbitrary URLs without validation.