4.7/5

Customers rate us on G2

Beyond Chat: This is the Operator Speaking
The Offensive Potential of Computer-Using Agents

CategoryInsights

ByOliver Simonnet

Date16 April 2025

Read time13 minutes

Back to Blog

Overview

Autonomous AI agents - known as Computer-Using Agents (CUAs) - are no longer science fiction! These systems can browse websites, interact with applications, and carry out tasks on their own. While intended to increase productivity, they can already be repurposed by threat actors for malicious use. In this post we will explore the cyber security implications of CUAs, showing how tools like OpenAI’s Operator can be manipulated to perform real-world attacks, and how we should prepare to defend against it.

Computer-Using Agents (CUAs)

Computer-Using Agents (CUAs) are a new chapter in the incredibly rapid evolution of AI. While traditional Large Language Models (LLMs) focus on generating text, CUAs take it a step further. These agents can interact with software, browse the internet, and carry out complex tasks on a user’s behalf through basic natural language instructions.

This sudden increase in AI capability comes with the promise of major productivity gains. But just as has been the case with any new and powerful tool, “here be dragons”, and in the case of CUAs, this extends directly into the cyber security domain.

In this post, we explore how OpenAI’s Operator, and other emerging tools from Google, Anthropic, and Meta, can be weaponised by threat actors. Instead of focusing on theoretical concerns, we will dive into practical and verifiable examples of CUAs being manipulated to performing automated reconnaissance, credential abuse, phishing, and application exploitation.

The Growing Landscape of AI

In this post we will focus on OpenAI’s Operator, as it has drawn a lot of attention with its sandboxed browser environment and autonomous behaviour. However, although it’s new and shiny, it is not the only tool out there redefining what AI agents can do! There are multiple other major vendors releasing - or actively testing - similar technologies, each with their own unique benefits and security implications:

OpenAI Operator: Operator runs in a sandboxed browser and is trained to perform complex web-based tasks, from navigating sites to writing and executing code – representing one of the most capable and flexible CUAs currently accessible.
Anthropic Claude: Claude’s “Computer Use” feature, released in 2024, allows for direct interaction with – and almost full control over - a virtual machine. This makes it very interesting in terms of potential for misuse, as it mimics hands-on keyboard access.
Google Project Mariner: Project Mariner is Google’s prototype platform, designed to enable Gemini models to directly interact with a user’s digital environment. Initial research shows that it supports interface navigation, workflow automation, and integration with Google Workspace and applications.
Meta Llama: Unlike the others, Meta’s models are entirely open source. As such, developers can build their own CUAs using Llama, with no vendor oversight, no safety guarantees, and no built-in constraints. This freedom is powerful but dangerous in the hands of an active threat actor.
MCPs and LLMs: Also worth noting is the creation of Model Context Protocols (MCPs) alongside LLMs. This allows LLMs to interact with API-based tools in a context-aware way, enabling autonomous data analysis and reactive task execution. While these capabilities enhance functionality, they also introduce new risks and opportunities for abuse.

Although these tools vary in their technical architecture and intended use cases, there is a clear underlying trend:

Many AI technologies are now capable of autonomously performing real-world actions. And those actions, whether helpful or harmful, can be triggered through nothing more than a simple text prompt.

CUA - Computer-Using Ag... Attackers

The idea that these technologies can be abused to perform malicious actions is not just theoretical. Our - and other’s - security research has already demonstrated that prompt injection, identity attacks, phishing, and exploitation is possible using these new autonomous systems. To demonstrate this, we tasked Operator with completing a number of malicious tasks, gradually increasing the technical complexity of each one.

CUAs for Reconnaissance

One of our initial test cases was to investigate how CUAs could be used to automate reconnaissance, information gathering, and analysis. Analysis was key as we've been able to automate information gathering and scraping for a while in various forms. However, simultaneous automated analysis and contextualisation of that information is different.

Using the following prompt, we were able to demonstrate how Operator could automatically access LinkedIn and identify a number of CultureAI employees who had joined within the last 90-days. The prompt being as simple as:

Operator responded with a precise list of new starters, complete with names, roles, and start dates extracted by analysing recent company posts and profile updates.

While this may seem like a benign request for information, it demonstrates the speed and scale with which an attacker could now automate reconnaissance and analysis at scale. What would once require considerable time and manual research, can now be done by an AI in minutes:

This information could subsequently be used by a malicious AI or threat actor to target these users with tailored phishing campaigns – as documented in our previous research.

CUAs for Identity Attacks

Another area where CUAs enhance attacker capabilities is with identity attacks. Let's consider credential stuffing - where attackers test known username and password pairs across multiple services – and dictionary attacks, which cycle through known or common passwords to brute-force access. These techniques aren’t new, but CUAs change how easily they can be executed.

Traditionally, attackers would rely on custom tooling and automation frameworks to perform these tasks, but this required infrastructure creation, ongoing maintenance, and constant updates to evade detection, rate limiting, and CAPTCHA defences. CUAs like Operator remove the need for such technical and manual overhead. They are capable of navigating login pages, entering credentials, responding to prompts, completing CAPTCHAs, and logging results as if they are humans.

To validate this, we instructed Operator to test the login flows for several common SaaS platforms using a target email address and a public list of known compromised passwords:

Operator completed the various login attempts using the supplied credentials and reported back, confirming it had gained access to one of the accounts:

This test was limited to a few passwords from an arbitrarily long list across three SaaS solutions. However, now consider how this process could be replicated and scaled across thousands of accounts simultaneously using multiple agents. What was once a relatively noisy and detectable attack could now be carried out at scale from multiple sources.

CUAs for Payload Creation and Phishing

While phishing automation is a well-worn concept, CUAs like Operator elevate it considerably. In a test inspired by the full end-to-end proof-of-concept by Symantec’s Threat Hunter team, we explored how an AI agent could autonomously craft and deliver a malicious payload without any additional human guidance beyond the initial prompt. The prompt used was:

Operator executed every instruction, end-to-end, returning this summary of its actions:

Creation of the email could be seen in the Operator browser window as it worked:

When creating the payload sent along with his email, Operator installed the Google Workspace Text Editor plugin and used it to write a basic bash script that printed system information:

While this final payload sent does not actually exfiltrate any data, the full process demonstrates the agent’s ability to automatically interpret instructions, solve problems, generate code, and perform complex multi-step tasks based on simple commands without issue.

CUAs for Vulnerability Discovery and Exploitation

Beyond social engineering and identity attacks, CUAs have also proven their ability to automate vulnerability discovery and exploitation. In another prompt, we instructed Operator to test access to a website, check for SQL injection, and upload a web shell to get code execution, if possible:

Operator completed this task without issues, including the successful completion of a CAPTCHA presented when accessing the website:

During task execution, Operator initially failed to bypass the login using SQL injection, however after multiple attempts generating different payloads, it was able to gain access to the site as the “admin” user:

While this SQL injection was relatively basic by human standards, the Agent's ability to identify it and test multiple generated payloads to gain access continued to demonstrate its strong problem-solving capabilities, without the need for additional user input

Following this, the Agent then made several attempts to upload a web shell via the application’s notes feature. It initially submitted a PHP payload without a file extension, which failed to execute. However, after recognising this, it returned to the notes form and uploaded a second web shell - this time with a .php extension - successfully achieving code execution:

This demonstrated how, even when given light instructions, CUAs like Operator can complete fairly complex multi-step exploitation activities, including payload creation, delivery, and post-exploit verification.

Current Limitations and Guardrails

So, with those test cases performed, it may seem like it's super easy to abuse these technologies and set them on their merry way to cause the AI apocalypse, right? But is it?

Thankfully - for us humans - it's not as stress free as it may seem, and systems like Operator do include some security controls. These are however just as inconsistent as they can be frustrating from the perspective of a threat actor.

I’d say about 75% of the time, Operator frequently paused execution, asked for additional user input, or refused to comply with certain instructions - such as complete CAPTCAHs, perform automated logins, and generate credentials. It also often required that the user monitor sensitive actions, like the authenticated access to email and social media accounts.

These controls can rapidly turn the dream of an automated task, saving you time, into a tedious waste of time and energy as you monitor the AI - just in case it stops. (Though I suppose that’s karma if you’re trying to use it for malicious purposes!)

That said, prompt injection is still a major weakness, and the tasks may succeed or fail depending on slight variations in phrasing and tone - including using creds and completing CAPTCHAs:

As attacker methodologies and capabilities improve, the defensive controls enforced on these technologies will need to mature rapidly to keep up. However, we ultimately expect that attackers will shift from legitimate platforms to their own underground custom CUA technologies with no restrictions, as we have seen with GPTs already.

Control Inconsistencies:

Although Operator includes multiple security controls designed to prevent, detect, and limit malicious behaviour, we sometimes found that simply opening a new tab and reissuing the exact same prompt would result in the AI ignoring its previous concerns and complete the full task without question anyway.

With that in mind, I’ve included a few examples where Operator’s security controls initially interfered with task completion, but where we ultimately bypassed it during our research:

Refusing to comply

Some attempts to have Operator perform tasks such as account login, SQL injection, or CAPTCHA completion, resulted in it refusing to comply because these actions should be performed manually, or were seen as malicious:

However, other times it was perfectly happy to complete these tasks without user interaction and without making changes to the original prompt.

I think opening a new Tab is going to be the AI equivalent of the classic “have you tried turning it off and on again”.

Requiring manual user authentication

Similarly, sometimes, even though it was provided with credentials, it refused to authenticate and instead requested that the user take control and manually complete the login:

Despite this initial concern, in other instances it was happy to perform the login autonomously using the same prompt, and in other cases it was bypassed after making minor modifications to the prompt.

Requesting user input

Part way through some tasks Operator may pause and request user input to confirm what the user wants it to do – despite telling it to complete all tasks without asking for input:

However, after a number of additional attempts it ultimately completed these steps without asking for my input anymore – perhaps it just got fed up of the back and forth. AI fatiguing!

Flagging suspicious activity

Often, as operator is working it won’t fully stop its task execution when something suspicious is found, but instead temporarily pause execution and present the user with a warning. This was by far the most frequent issue we found with manipulating Operator to perform malicious tasks.

This typically happened when the AI found itself performing particularly sensitive or dangerous tasks, such as authenticated account access, logins observed, passwords detected, or malicious code identified on the screen.

However, the user can simply click to mark the task as safe, and Operator will carry on with whatever it was doing.

This control was very inconsistent, and many times identical tasks and execution flows that previously raised a risk, no longer would, even though the information displayed, and task performed, were predominantly the same – or sometimes identical.

Conclusion

Computer-Using Agents like OpenAI’s Operator aren’t just productivity boosters - they’re potential digital threat actors. When used legitimately, they can automate real work and make life easier, but in the wrong hands, they can be let loose to identify targets, compromise user accounts, discover vulnerabilities, and interact with victims.

Our research shows that these agents are already capable of credential abuse, phishing attacks, malware delivery, and even vulnerability exploitation. And while current capabilities remain partially limited, the potential for large-scale abuse in the immediate future is very real.

Organisations adopting or creating CUAs should treat them like any high-risk component, and subject them to robust security controls and strict scrutiny. At a minimum:

Limit their access to production systems and sensitive data
Monitor the agent’s behaviour and log all actions for audit
Train the agents to be more robust against prompt injection
Run the agents in isolated environments with minimal privileges
Consider a conservative maximum execution limitation

While it’s not yet completely practical for attackers to fully retire and simply automate large-scale, highly-complex, end-to-end attacks without any human input or oversight, the immediate threat of this is not theoretical. The AI is here, the abuse is possible, and our security teams and technologies must not only catch up, but keep up, and fast.