Researchers Trick Perplexity’s Comet AI Browser Into Phishing Scam in Under Four Minutes

Security researchers have demonstrated that Perplexity’s Comet browser can be manipulated into completing a phishing workflow in less than four minutes of iterative testing, highlighting a fast-moving risk in the new class of agentic browsers. The issue is not simply that an AI browser can misread a malicious page. The deeper problem is that the browser exposes a rich stream of reasoning, safety hesitation, and tool-level behavior that attackers can use as feedback to refine malicious pages until the agent stops objecting.

Guard.io researchers describe this leakage as “Agentic Blabbering,” a condition in which the browser effectively reveals what it sees, what it thinks is suspicious, and what sequence of actions it is considering next. Once that signal becomes observable, the attacker no longer has to guess what might fool a human victim. They can instead optimize directly against the model that millions of users may rely on for web actions, account access, shopping, and form submission.

That shift matters. Traditional phishing attacks are built around human deception at scale. In this model, the target becomes the browser agent itself. The attacker trains the lure offline against the browser’s own decision process, then deploys a page that is already tuned to pass the model’s checks on first contact.

Key Technical Takeaways

• Researchers intercepted agent-to-server traffic to observe Comet’s reasoning, screenshots, page reads, and safety signals.
• A GAN-style optimization loop was used to iteratively refine a phishing page based on the browser’s objections and hesitation.
• The proof of concept succeeded in four iterations, taking under four minutes to move from obvious phishing bait to a page the browser trusted.
• The attack exploited the browser’s autonomous tool use, including page screenshots, DOM interpretation, navigation, clicking, and form interaction.
• The browser’s verbose narration created a feedback channel that allowed the phishing page to be tuned specifically for Comet’s guardrails.
• The risk scales horizontally because once a page works against a specific model and workflow, it can potentially work against all users of that same agent.
• Related research on Scamlexity, VibeScamming, and PerplexedBrowser shows that prompt injection, exfiltration, and workflow hijacking are becoming persistent classes of risk for browser agents.

Event Overview

The Research finding was disclosed in March 2026 as part of Guardio’s research into AI-native scam techniques targeting browser agents. The researchers selected Perplexity Comet as a case study and instrumented the browser’s traffic to understand how the agent perceives web pages and decides whether to proceed with sensitive actions. Their focus was not a classic memory corruption bug or renderer exploit. It was the browsing model itself.

Comet, like other agentic browsers, executes user tasks through high-privilege abstractions such as navigation, page reading, screenshots, clicking, typing, and waiting. That gives the browser a powerful automation surface inside authenticated user sessions. The same architecture that makes it useful also creates a large semantic attack surface where malicious content can influence what the agent believes the user intended.

Guard.io’s proof of concept centered on a refund-scam narrative. A user prompt asking the browser to log into an account and submit a refund request became the entry point for the attack. Starting with an intentionally poor phishing page, the researchers let the browser inspect it, captured the reasons for rejection, modified the page accordingly, and repeated the process until the browser no longer raised meaningful warnings and proceeded with the fraudulent task.

The practical impact is larger than the single demonstration suggests. Recent research around Perplexity Comet has already shown that agentic browsers can be induced to exfiltrate local files or abuse password manager workflows when malicious instructions are hidden in trusted content such as calendar invites. Combined with this phishing optimization research, the message is clear: once the browser becomes the action-taking principal, every source of external content becomes a potential control channel.

Technical Analysis

The most important technical insight from the Guardio research is that agentic browsers do not browse like humans. They browse through tools. Instead of visually scanning a page and manually deciding what to do, the agent composes actions from a backend-driven control plane. In Comet’s observed workflow, that included a screenshot-based visual understanding path and a structured page-reading path that converts the DOM into labeled blocks the model can reason over.

This creates two exploitable conditions. First, the agent emits telemetry and reasoning about why a page is unsafe, which gives the attacker near real-time information about which features triggered a warning. Second, the browser is acting on an interpretation of the page rather than on stable intent-grounded policy. That means the attacker can iteratively tune visual cues, copy, form structure, and trust signals until the model’s classifier-like judgment flips from suspicious to acceptable.

Guard.io reportedly routed HTTPS traffic through Burp Suite and built an extension to capture and structure agent telemetry into a searchable dataset. That telemetry included what the browser saw, how it described the page, which actions it planned, and which risk signals it surfaced. The researchers then fed this data into a GAN-style feedback loop. In practical terms, one component generated or modified the phishing page, while another evaluated the page using the browser’s own reactions as the critic.

That is a significant evolution from ordinary phishing-kit testing. Human phishing operators typically A/B test landing pages against conversion rates, blocked URLs, or email open rates. Here, the landing page is being trained directly against the AI browser’s internal logic. The goal is not to look convincing to a person. The goal is to become “AI-browser-safe” enough that the agent chooses to continue.

According to the research, the optimization sequence moved through distinct decision layers. In the first pass, the page failed the visual test and triggered an explicit phishing warning. After cosmetic improvements removed obviously fake design elements, the browser’s objections shifted toward credibility and structure. In a later phase, Comet moved from screenshot-based judgment to deeper page reading, flagging social-engineering patterns such as urgency and reassurance cues. By the fourth iteration, the guardrails had quieted enough that the browser claimed it had successfully logged in and submitted a refund request, even though the page was still malicious and the action handed over sensitive data to the attacker-controlled workflow.

Two broader security issues emerge from this. One is observability leakage: the agent reveals too much about its decision process. The other is authority without hard boundaries: once the agent is convinced a task is legitimate, it can act with the user’s browser context, session state, and possibly access to highly sensitive environments.

Attack Chain

• Initial Access: User is presented with a scam narrative such as a fake invoice or refund request and delegates resolution to the AI browser.
• Reconnaissance Against the Agent: Attacker observes agent-server traffic and captures screenshots, page interpretations, reasoning traces, and safety commentary.
• Page Generation: A phishing page is generated with forms, branding, and flow designed to match the delegated task.
• Adversarial Optimization: The page is repeatedly modified based on the browser’s warnings, hesitations, and structured feedback.
• Execution: Once the browser deems the page sufficiently trustworthy, it navigates, types credentials, clicks controls, and submits attacker-chosen data.
• Credential Theft: Login credentials, PII, or account recovery information are captured by the malicious site.
• Impact: The attacker gains account access or sensitive data through the agent’s authorized browsing context.

Security Impact

This research matters because it compresses the distance between model exploitation and real-world fraud. Agentic browsers sit inside authenticated sessions and are designed to act with user authority. Once that capability is paired with autonomous page navigation and tool use, phishing becomes only one possible outcome. The same primitive can support local data exposure, cloud console abuse, email manipulation, password vault interaction, and transaction execution.

It also reveals a structural problem for defenders. Prompt injection is not merely a content moderation issue in this context. It is an architectural issue tied to how browsers merge trusted user intent with untrusted web content and then allow a model to decide which instructions dominate. As several recent studies on agent security have argued, this class of weakness requires system-level controls, not just smarter filters.

The operational implication for enterprises is clear: browser agents should be treated as high-risk automation endpoints with access to identity, session state, sensitive pages, and business workflows. That places them closer to privileged RPA systems or browser-based copilots than to ordinary consumer software.

Defensive Recommendations

• Enforce hard action boundaries so agentic browsers cannot freely access local files, password managers, financial workflows, or identity recovery pages without explicit per-action approval.
• Reduce reasoning leakage. Safety stops should be terse and policy-based rather than verbose explanations that reveal exactly which signals triggered a block.
• Apply adversarial training using iterative attack generation against the browser’s real tool chain, not just synthetic prompt corpora.
• Continuously red-team agents with automated attack discovery pipelines that mutate page copy, DOM structure, visual cues, and interaction flows.
• Separate user intent from untrusted content at the architectural level with strict provenance handling and policy enforcement between inputs, tools, and model reasoning.
• Require high-friction confirmation for state-changing actions on untrusted or low-reputation domains, especially for logins, payments, password resets, and document submission.
• Instrument browser-agent telemetry for enterprise detection, including agent screenshots, cross-site navigation patterns, and sensitive workflow invocation.
• Constrain extension, vault, and session inheritance so agents cannot automatically pivot into privileged browser contexts without narrowly scoped authorization.
• Use domain reputation, content sandboxing, and tool-result filtering together rather than relying on any single prompt-injection detector.

MITRE ATT&CK Techniques

• T1566 – Phishing
• T1189 – Drive-by Compromise
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1556 – Modify Authentication Process
• T1555 – Credentials from Password Stores
• T1020 – Automated Exfiltration
• T1204 – User Execution

Why This Matters

The most important lesson is that agentic browsers are changing the economics of phishing. In the old model, a campaign succeeded by deceiving some percentage of humans. In the emerging model, a campaign succeeds by learning one browser agent’s thresholds. Once that threshold is mapped, every user of the same agent becomes a more predictable target.

That is why the “under four minutes” figure is more than a headline metric. It suggests that the optimization loop is fast enough to be practical. An attacker does not need a long research phase or nation-state resources to improve a scam page. They need observability into the model’s behavior and enough automation to iteratively rewrite the lure until the model complies.

For defenders, this means the security conversation must move beyond whether AI agents can detect phishing pages. The real question is whether they can be prevented from becoming reliable phishing participants when exposed to adversarially trained content. Right now, the answer appears far less reassuring than vendors would like.

NeuraCyb Intelligence's Assessment

NeuraCyb Intel assesses Agentic Blabbering as an early warning of how browser-native AI abuse will evolve over the next 12 to 18 months. The strategic shift is from human-centered social engineering to model-centered behavioral optimization. This is likely to produce more reliable first-contact fraud, faster prompt-injection weaponization, and broader abuse of authenticated browser state.

Perplexity Comet is the immediate case study, but the underlying issue is ecosystem-wide. Any agentic browser that narrates its reasoning, operates across trusted sessions, and lacks hard privilege boundaries is exposed to the same family of attacks. Security teams should expect continued convergence between phishing, prompt injection, tool abuse, and identity compromise.

The near-term priority for defenders is to classify browser agents as privileged execution surfaces, apply strict policy gates around sensitive actions, and test them with the same adversarial rigor used for exposed identity systems. The longer-term reality is harsher: prompt injection will remain a persistent design constraint for autonomous web agents, so competitive advantage will come from containment, not from assuming the problem can be completely filtered away.