Sysdig security researchers have documented JADEPUFFER, a new ransomware campaign that weaponizes artificial intelligence to autonomously spread and encrypt data, exploiting a vulnerability now tracked as CVE-2025-3248. The discovery lands just as Microsoft quietly rolls out autonomous AI agents for sales and service across its ecosystem, and HubSpot reverses a controversial plan to share customer enrichment data by default—a convergence that puts a glaring spotlight on the permissions and security of AI agents in the enterprise.
The Unfolding Threat: JADEPUFFER and CVE-2025-3248
In a detailed threat report, Sysdig’s research team outlined how JADEPUFFER uses machine learning models to map networks, identify high-value assets, and adapt its propagation techniques in real time. Unlike traditional ransomware that follows a static playbook, this campaign learns from each compromised endpoint, automatically selecting targets and evading signature-based defenses. The initial infection vector relies on CVE-2025-3248, a vulnerability whose technical specifics remain under coordinated disclosure and partial embargo. Early indicators suggest it affects a widely deployed enterprise collaboration platform, allowing unauthenticated remote code execution.
Once inside, JADEPUFFER deploys a lightweight AI engine that analyzes file structures, permissions, and network traffic to prioritize encryption of databases, file shares, and backup systems. It can even delay encryption to align with low-security monitoring windows, based on learned patterns. Sysdig has released indicators of compromise (IOCs) and YARA rules; organizations should immediately ingest these into their security information and event management (SIEM) or extended detection and response (XDR) tools.
Meanwhile, Microsoft’s rollout of Sales Agent and Service Agent marks a significant expansion of its autonomous AI capabilities. These agents, built into Microsoft 365 Copilot and Dynamics 365, can independently schedule meetings, draft and send emails, handle customer inquiries, and update CRM records—all with minimal human intervention. While touted as productivity boosters, their default permissions often include access to calendars, contact lists, and sensitive business data, mirroring the very attack surface JADEPUFFER seems designed to exploit.
On the privacy front, HubSpot had announced a feature that would automatically share contact enrichment data—such as company size, industry, and social profiles—across customer accounts to improve AI-driven insights. Following swift backlash from users concerned about data leakage and compliance, the company reversed course and made the sharing opt-in. This retreat underscores the tension between AI’s data hunger and the fundamental need for user consent and data isolation.
What It Means for You
For Enterprise Security Teams and IT Admins
JADEPUFFER is a wake-up call. AI agents already operating in your environment—whether from Microsoft, third-party SaaS, or homegrown automation—can become force multipliers for attackers if their permissions are excessive. Review all service principals, OAuth scopes, and API tokens assigned to AI-driven applications. In particular, scrutinize agents that can write data, send messages, or modify settings. Implement Just Enough Access (JEA) and time-bound tokens wherever possible.
If you use Microsoft 365, the new Sales and Service Agents are powerful but risky out of the box. Admins should immediately review the default data access scopes via the Microsoft 365 admin center and Microsoft Purview. Consider disabling autonomous email sending until your team has assessed the blast radius of a compromised agent. Set up alerts for unusual agent behavior—such as bulk file downloads or access from anomalous locations—using Microsoft Sentinel or a third-party SIEM.
For Developers and DevOps Teams
CVE-2025-3248’s exploitation in an AI-driven campaign highlights the criticality of securing CI/CD pipelines and third-party integrations. If your product or internal tools use AI agents, audit how they authenticate and what secrets they store. JADEPUFFER’s ability to learn and adapt means static defenses are insufficient; ensure your detection systems incorporate behavioral analytics and machine learning-based anomaly detection.
For Business Users and HubSpot Customers
If you rely on HubSpot, the reversal means your data remains isolated by default—but verify your settings. Navigate to Account Settings > Privacy & Consent and ensure cross‑account data sharing is disabled unless your organization has explicitly opted in. This is also a good time to review which connected apps have access to your CRM data.
For Home Users
While JADEPUFFER currently targets enterprises, AI‑powered malware isn’t far from the consumer space. Keep your systems patched, be vigilant about phishing (a likely companion to initial access), and limit the permissions you grant to browser extensions and mobile apps that integrate AI features.
How We Got Here
The march toward autonomous AI agents has been aggressive. Microsoft introduced Copilot for Microsoft 365 in 2023, and by early 2025 it began embedding autonomous agents capable of acting on user intent without explicit step-by-step commands. Other platforms, from Salesforce to ServiceNow, have followed suit. This trend has brought undeniable efficiency gains but also expanded the potential damage from a single compromised agent.
Security researchers have warned for years about the risks of over-permissioned AI. Incidents like prompt injection attacks and data leakage from large language models foreshadowed the weaponization of AI agents themselves. JADEPUFFER is the first known campaign to use an AI engine explicitly for ransomware operations, marking an ominous evolution.
Meanwhile, regulators worldwide have been drafting rules around AI accountability and data privacy. The European Union’s AI Act began to take effect this year, and the U.S. executive order on AI safety is driving new NIST guidelines. HubSpot’s reversal, though a business decision, aligns with the growing expectation that users must control how their data is used for AI training—a principle that will likely influence future legislation.
What to Do Now
- Hunt for CVE-2025-3248 exploitation: While a patch is pending, contact the affected vendor (details expected soon) for interim mitigations. Apply any available workarounds, such as disabling specific services or applying network segmentation rules.
- Ingest JADEPUFFER IOCs: Sysdig has published file hashes, C2 IP addresses, and YARA rules. Deploy these across your endpoint detection and response (EDR) and network detection systems. Pay special attention to any AI model files or libraries that appear in unexpected directories.
- Perform an AI agent permission audit: Inventory every AI agent or copilot in your environment. For each, ask: What can it read? What can it write? Can it send emails or messages? Revoke any permissions that aren’t strictly necessary, and set up approval workflows for high-risk actions.
- Harden Microsoft 365 tenants: In the Microsoft 365 admin center, navigate to Settings > Org settings, then Copilot and Autonomous agents. Restrict which users can deploy custom agents and which data sources they can access. Use sensitivity labels to protect highly confidential content from being processed by agents.
- Test your incident response plan: Simulate a scenario where an AI agent is compromised. Can your team quickly revoke its tokens, isolate the affected system, and identify data it accessed? Update runbooks accordingly.
- Check HubSpot sharing configurations: Even if you weren’t directly affected by the now-reversed feature, review your HubSpot App Marketplace integrations and remove any that you no longer use or trust.
Outlook: AI Arms Race in Cybersecurity
JADEPUFFER won’t be the last AI-driven threat. Ransomware gangs are incentivized to adopt any technology that improves their hit rate, and AI offers a clear offensive advantage. Defenders must invest in equally intelligent systems that can detect anomalies in agent behavior—essentially, using AI to guard against AI.
Microsoft’s aggressive agent push shows no signs of slowing; later this year we can expect even more autonomous capabilities across Windows, Azure, and Office. For IT leaders, the message is clear: governance must keep pace with innovation. Treat AI agents like privileged accounts: monitor them continuously, restrict their power, and assume they will eventually be compromised.
The HubSpot episode reveals that user trust is fragile when it comes to AI data practices. Companies that build agentic AI features will need transparent, opt-in models—not just for compliance, but to retain their customer base. As both threats and tools evolve, the balance between utility and security will define the next chapter of enterprise computing.