The attack executed entirely on OpenAI's cloud, turning a covert prompt in a routine email into server-side data exfiltration.
