Prompt Injection and a $5 Domain Trick Salesforce Agentforce into Leaking CRM Data
A $5 domain and indirect prompt injection could let attackers siphon Agentforce lead data. Salesforce patched it and now enforces trusted URL allow-lists.
ForcedLeak: How a $5 domain and a prompt trick exposed Salesforce Agentforce data
A now-fixed flaw in Salesforce Agentforce could have let attackers siphon lead data through indirect prompt injection. Researchers say a DNS misconfiguration and an expired trusted domain made it possible. Salesforce has shipped patches and now enforces trusted URL allow-lists for Agentforce and Einstein to block data from being sent to untrusted links.
The issue, labeled "ForcedLeak" by Noma Security, was rated critical (CVSS v4.0 score 9.4). The exploit shows how AI agents can be manipulated into pulling CRM records and sending them off-platform without a human ever hitting send.
What actually happened
Agentforce AI agents were steered by hidden instructions planted in customer input. With Web-to-Lead enabled, attackers used the long "description" field to insert a multi-step prompt that asked the agent to list lead emails, then "embed a preview image" that referenced those emails in a URL parameter.
Salesforce's Content Security Policy trusted a domain that had expired. Researchers bought it for five dollars, received the agent's outbound request, and captured the lead data. Salesforce has since re-secured the domain and enforced trusted URL allow-lists, preventing Agentforce output from being sent to unknown endpoints.
Why sales leaders should care
Your pipeline is your business. If AI agents can exfiltrate lead emails, deal notes, or pricing, you face lost deals, compliance headaches, and customer distrust. This incident shows that AI-driven workflows need the same scrutiny as any integration that touches CRM data.
How the attack flowed (plain English)
- Web-to-Lead was on. The "description" field allowed ~42,000 characters.
- The input included friendly questions to mask malicious intent, then a final instruction to render an image that pointed to a "trusted" domain with lead emails embedded in the URL.
- The attacker bought that once-trusted domain and collected whatever the agent sent in the request.
- No one on the sales team saw it happen, because the agent did the work automatically.
Actions to take now
- Confirm patches: Ensure Trusted URLs Enforcement is active for Agentforce and Einstein. Permit only first-party and vetted domains.
- Tighten permissions: Apply least privilege for AI agents. Remove lead-read access where it's not required for the task.
- Harden intake forms: Reduce long free-text fields, strip HTML, sanitize inputs, and add moderation for fields that flow into AI agents.
- Control egress: Block pixel beacons and unknown domains at the network and email layers. Set alerts for outbound requests with lead data.
- Disable risky rendering: If possible, force agents to output plain text only. Disallow external images or links generated from user input.
- Test your setup: Run red-team prompts against sandboxes. Try indirect injections on demo leads and confirm nothing leaves your environment.
- Train your team: Explain how prompt injection works. Marketing ops and SDRs should know how lead forms can become attack vectors.
- Review vendors: Ask AI/CRM vendors how they enforce allow-lists, sanitize inputs, and block data exfiltration in agent outputs.
Questions to ask your admin and vendors
- Which domains are on our allow-list, and who owns them?
- Can our agents send data to external URLs under any condition?
- Which roles grant read access to lead emails, notes, and attachments?
- Do we log and alert on outbound requests that include CRM fields?
- Have we tested indirect prompt injections against our lead flows?
Key references
Moving forward
AI agents amplify output and risk. Treat them like new employees: define permissions, restrict tools, review their work, and log everything. Small gaps-like a forgotten domain-can create big leakage.
If you're rolling out AI-driven sales workflows and want structured upskilling for your team, explore our curated options by role: Complete AI Training - Courses by Job.
