Security researchers demonstrated that Claude Desktop — Anthropic’s desktop AI application — can be turned into an attacker-controlled platform through a chain that begins with access to a victim’s email inbox and ends with OS-level code execution on the victim’s machine. The attack exploits Claude Desktop’s design behavior: it reads content from connected sources including email inboxes, follows instructions embedded in that content, and — when an MCP connector with command execution capabilities is installed — carries out those instructions using the connector. Researchers published full technical details after Anthropic stated the technique falls outside the scope of its bug program, characterizing MCP connectors executing code as intended functionality.
How a Compromised Email Inbox Becomes a Foothold Inside Claude Desktop
Claude Desktop’s core function involves reading content from connected sources and acting on it. When a victim connects their email inbox to Claude Desktop and an attacker has obtained access to that inbox — through phishing, credential theft, or any other inbox compromise method — the attacker can plant a message containing hidden prompt instructions. Claude Desktop reads the message as part of its normal inbox monitoring behavior and follows the embedded instructions as though they were legitimate user directives. The victim has no reason to suspect that processing an email involved executing attacker-supplied commands.
The Four-Step Email-to-MCP Chain That Delivers OS-Level Code Execution
The attack chain proceeds through four stages. First, the attacker gains access to the victim’s email inbox. Second, the attacker sends or plants a message containing a hidden prompt instruction directing Claude to take specific actions. Third, Claude reads the inbox and processes the injected content, presenting the victim with what appears to be a realistic error message that includes plausible step-by-step instructions. Fourth, if the victim has Desktop Commander or a similar MCP connector that provides Claude with command execution capability, Claude executes the reverse shell or other malicious code the attacker specified — treating the attacker’s instructions as an authorized user request. The victim’s click on the “fix” instructions, if taken, confirms the action in the MCP connector interface, but the attack can proceed if Claude interprets the injected instructions as sufficient authorization.
Claude as a Phishing Layer When No Command-Execution MCP Is Installed
Not all Claude Desktop installations include a command-execution MCP connector. In cases where no such connector is present, researchers describe Claude Desktop as becoming a “phishing layer” — a trusted AI interface that presents attacker-controlled content to the victim in a context where the victim is less likely to be skeptical than they would be if the same content arrived in a conventional phishing email. Victims who are accustomed to following Claude’s recommendations within the desktop application represent a higher-trust target than a suspicious external email, giving the attacker a more credible social engineering channel even when full code execution is not achievable through the connector path.
Cross-Device Sync and Anthropic’s Position on MCP Connector Risk
Claude Desktop’s cross-device and cross-session synchronization behavior creates a secondary amplification path for successful prompt injection. A poisoned configuration or an injected instruction that modifies Claude’s behavior in one session can propagate to all other devices and sessions tied to the victim’s Claude account — meaning a successful inbox injection on a laptop also affects the victim’s desktop, secondary workstation, and any other device running Claude Desktop with the same account. This behavior extends the attacker’s effective reach beyond a single device compromise.
Anthropic’s Response and What It Means for MCP Connector Deployments
Anthropic reviewed the technique and determined it does not represent a security vulnerability within the company’s bug program scope. The company’s position characterizes MCP connectors executing code as intended functionality — the behavior the researchers documented is what MCP connectors are designed to do when Claude receives instructions directing code execution. Researchers published full technical details in response, aiming to inform users and organizations managing MCP connector deployments about the conditions under which Claude Desktop can be directed by attacker-controlled content. Organizations that have deployed Claude Desktop with command-execution MCP connectors should assess whether they have implemented inbox access controls sufficient to prevent unauthorized content from reaching Claude’s reading queue, and should consider which MCP connectors carry execution permissions in their deployment context.
The technique is distinct from browser-based credential theft attacks targeting AI interfaces: this attack targets the desktop application and achieves OS-level code execution through the connector path, while the inbox entry mechanism bypasses the need for the attacker to interact directly with the victim’s machine before execution.
