Security researchers from Varonis have disclosed a zero-click attack vector that utilized a crafted email to delete a victim’s entire Google Drive. The attack, named GHOST (Google Hidden OAuth Scapegoat Trick), required no user interaction beyond the victim opening a malicious email within their Gmail account. The proof-of-concept demonstrated the agentic nature of the attack, where an automated script acted on the user’s behalf without their consent or knowledge.

The exploit leveraged a vulnerability in how Google Apps Script was handled within the Gmail service. By embedding a malicious Apps Script into an email, attackers could achieve remote code execution in the browser as soon as the email was rendered. This agentic browser attack used the victim’s existing authenticated Google session to perform its actions.

The GHOST Attack Mechanism

The attack chain began with a threat actor sending a specially crafted email to a target’s Gmail address. This email contained a hidden Google Apps Script designed to execute automatically upon being opened. Because the script ran within the context of the user’s active Google session, it inherited the permissions associated with that user’s account. The Varonis team’s demonstration showed the script making authorized API calls to the Google Drive service, where it systematically enumerated and deleted every file stored in the account.

The zero-click nature of the GHOST attack was its most significant feature. Unlike phishing attacks that require a user to click a link or download an attachment, this vulnerability was triggered simply by the act of viewing the email. The automated script worked in the background, making it difficult for the victim to detect the malicious activity in real-time.

Responsible Disclosure and Mitigation

Upon discovering the vulnerability, Varonis followed responsible disclosure protocols and reported their findings to Google’s security team. Google acknowledged the report and implemented a fix to mitigate the threat. The implemented solution now requires explicit user authorization before any Google Apps Script embedded in an email from an external sender can execute. This change effectively removes the zero-click component of this specific attack vector, forcing user interaction and approval, thereby preventing the GHOST attack from succeeding as originally designed.

Source: https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html