Zero-click attacks in 2026: what changed and how to defend

Zero-click attacks used to be the stuff of NSO Group exclusives, targeted at journalists and dissidents through Pegasus. That window closed. The technique has moved downmarket. Through 2024 and 2025, zero-click exploits showed up in messaging platforms, AI assistants, mobile apps, and increasingly, in software your staff use every day.

The thing that makes zero-click dangerous is the absence of human error. There is no link to click, no attachment to open, no warning sign for a trained user to spot. The exploit fires the moment a message arrives, a notification renders, or an AI agent processes content on the user’s behalf. Security awareness training does not help. Phishing simulations do not catch it. The user is compromised before they are even aware a message arrived.

If your last serious think about zero-click was in 2023 when this post was first written, the threat picture has shifted considerably. Here is what changed and what defences need to look like now.

What zero-click actually means in 2026

A zero-click exploit succeeds without any action from the target. The vulnerability is in how the receiving application parses content. Send a malformed image, a crafted protocol buffer, or a poisoned message, and the parser itself executes attacker-controlled code before the user even sees the content.

The category has expanded since the original Pegasus disclosures. Three new vectors have emerged at scale.

The first is messaging platform parsers. iMessage, WhatsApp, Signal, and Telegram all process rich content automatically. Every image preview, audio waveform render, link unfurl, and emoji reaction is parser work that runs before the user reads the message. The iMessage BLASTPASS chain disclosed in late 2023 used image processing in the ImageIO framework to bypass BlastDoor sandboxing on iOS. Apple patched it. Subsequent variants appeared through 2024 and 2025.

The second is AI assistant prompt injection. When a user asks Copilot, ChatGPT, or Claude to summarise an email or document, the AI processes the entire content including any embedded instructions. Attackers have learned to embed instructions in documents and emails that hijack the AI assistant’s behaviour, exfiltrate context, or trigger actions on the user’s behalf. The user never sees the injection, never approves the action, and never realises the AI just did something it should not have done. This is zero-click in its newest form, and the defences are still maturing.

The third is automated processing of shared content. Cloud storage scanning, email anti-malware preview, mobile device management auto-installing configuration profiles, automated ticketing system attachment indexing. Anywhere a backend system parses user-supplied content without the user being present is potential zero-click attack surface.

What changed since iMessage and BlastDoor

The 2023 zero-click conversation centred on mobile messaging and was framed as an espionage problem affecting a small number of high-value targets. The 2026 conversation is broader on three dimensions.

The target profile has widened. Through 2024 and 2025, multiple commercial spyware vendors lowered the price point of zero-click capability. The same techniques used against journalists in 2021 are now sold to private intelligence firms, divorce investigators, and competitive intelligence buyers. Australian businesses are within the affordability range of those buyers, particularly in regulated industries, professional services, and any sector with sensitive M&A or litigation exposure.

The attack surface has multiplied. Zero-click no longer requires a phone number to target a device. AI assistants processing shared documents create new attack paths that bypass traditional email and endpoint defences entirely. Document sharing within Microsoft 365, Google Workspace, and most cloud collaboration platforms creates indirect zero-click vectors that the original 2023 advice did not anticipate.

The defender maturity has lagged. Most Australian SMBs are still operating defences calibrated for the 2020-era threat model. They patch endpoints diligently and run anti-phishing on email gateways. Both are necessary. Neither addresses the AI prompt injection or the automated backend parser vectors that are doing the damage in 2026.

Where the modern attack surface actually sits

For an Australian SMB in 2026, the realistic zero-click exposure breaks down into five categories.

Mobile devices remain the highest-impact target. iOS and Android both push update cadences faster than businesses can manage. The gap between an exploit being disclosed and your fleet being patched is where the risk lives. Mobile Device Management discipline is the gating control. We will be covering Intune versus traditional MDM in a forthcoming piece, but the headline is that 30 per cent of Australian SMB mobile fleets have devices more than 60 days behind on critical patches.

AI assistants integrated into workflow tools are the fastest-growing attack surface. Every Copilot, ChatGPT Enterprise, or Claude integration that can read documents and emails is a potential prompt injection target. The exploit is not in the AI itself, it is in the contextual data the AI is allowed to see and the actions it is allowed to take. Tight permission scoping is the defence.

Email and document processing pipelines are quiet but exploitable. Any backend system that parses uploaded files (PDF, Office, image, archive) on the user’s behalf is in scope. Anti-malware engines that detonate attachments in sandboxes. Document conversion services. Optical character recognition pipelines. Each is a parser, and each parser has a history of vulnerabilities.

Messaging platforms remain a primary vector for high-value targets. iMessage, WhatsApp, Signal, Telegram, Teams, and Slack all carry the same parser-based zero-click risk. Business users moving sensitive conversations into platforms with weaker security models is its own discussion, but the technical exposure is real.

Browser-rendered content is increasingly relevant. Modern browsers parse a vast amount of structured content automatically. Web push notifications, service workers, WebRTC sessions, and embedded media all execute code in the rendering process. The exploits here are less common but the impact is higher because browsers carry session cookies for everything else.

Practical defences that actually help

The defences against zero-click in 2026 are different from the 2023 playbook. The classic advice of “patch quickly, train users, run anti-phishing” is necessary but no longer sufficient. Five practical actions matter more now.

What this means for cyber insurance and compliance

Cyber insurance underwriters have started asking explicit questions about AI permission scoping and mobile patch latency. Two years ago, those were not on the questionnaire. Today, they directly affect premium and excess.

The Essential Eight does not explicitly address zero-click in its current form. The maturity model assumes a threat picture from earlier years. That said, the underlying controls (patch management, application hardening, restrict admin privileges) are the right structural defences. Our Essential 8 Compliance Guide covers how the existing controls apply to modern threats including zero-click.

The federal Privacy Act amendments coming into effect in December 2026 will tighten breach notification requirements where automated decision-making is involved. AI agents acting on user behalf without proper permission scoping create a meaningful Privacy Act exposure that did not exist in the 2023 framing.

The honest limit of what defence can do

We need to be direct about something most cyber vendors will not say. There is no defence that prevents all zero-click attacks. A determined, well-resourced attacker targeting a specific individual will find a way, and the technology gap between attackers and defenders on this category is not closing.

What you can do is reduce the attack surface, slow the attacker down, detect compromise faster, and limit the blast radius once they are in. That combination, applied diligently, moves the cost-benefit calculation against the attacker for most targets that are not specifically high-value.

For Australian SMBs, the realistic question is not “can we be perfectly secure against zero-click”. It is “can we be enough harder to compromise than the next business in our sector”. On that measure, the gap between businesses doing the five actions above and businesses still operating on 2023-era assumptions is enormous.