A discussion currently bubbling on Lobsters AI points to a new arxiv paper that many in the security community believe is being underestimated by the mainstream. The subject: AI worms. Not science fiction, not a future threat — this is already happening in controlled laboratory environments, and the implications are unsettling.

The concept is simple enough to be frightening: instead of targeting operating systems or application vulnerabilities, these worms attack language itself. A malicious prompt hides inside an email. An AI-powered email assistant reads the message, and the prompt hijacks the assistant's output. The assistant then forwards a new message — containing the same malicious prompt — to the next recipient. Rinse and repeat.

Zero-click means exactly that: you don't need to click, open an attachment, or approve anything. The AI does the work for the attacker.

The researchers behind Morris II — named after the original Morris worm of 1988 — demonstrated that this is far from theoretical. They managed to get both ChatGPT and Gemini to forward infected messages and exfiltrate user data as part of the attack chain. That's the kind of finding that makes seasoned security professionals stop in their tracks.

What makes this particularly nasty? Traditional security systems look for signatures — known patterns in code or attachments. AI worms look like completely ordinary text. They pass spam filters because they are natural language. Some attackers are even abusing legitimate URL-rewriting services (used by security software) to disguise links as already "approved" by the system.

AI worms are now spreading via email — without you clicking anything - Bilde 1

The numbers from the research side are hardly reassuring: phishing volume has increased by more than 1,200 percent since generative AI became widespread, and an LLM can craft a convincing spear-phishing email in five minutes — something that took a human attacker 16 hours. URL-based threats now completely dominate the threat landscape, occurring four times more frequently than email attachments.

It's worth emphasizing: these are early signals from the research community and community discussions, not confirmed large-scale exploitation in the wild just yet. But the distance between proof-of-concept and actual attack tends to shrink quickly once a technique has been documented.

Why should you care now? Because AI-powered email assistants are being rolled out across enterprises at record speed. Copilot in Outlook, Gmail's smart features, third-party integrations — all of these are potential attack vectors that most IT departments don't yet have a clear policy for. That's exactly the kind of gap attackers love.

Keep an eye on this. It's going to become a much bigger conversation.