Artificial intelligence tools are now a core part of everyday workflows \u2014 from browsers that summarize web pages to automated agents that help users make decisions online. <\/p>\n
As these tools become more capable, attackers are learning how to turn them against the very people they are designed to serve. <\/p>\n
A method called indirect prompt injection (IDPI) allows adversaries to embed hidden instructions inside ordinary-looking web content, tricking AI agents into executing commands they were never authorized to follow.<\/p>\n
Unlike direct prompt injection, where a person types a malicious instruction directly into a chatbot, IDPI works entirely behind the scenes. <\/p>\n
An attacker hides instructions inside a webpage \u2014 embedded in HTML code, user comments, metadata, or invisible text \u2014 and waits for an AI tool to visit or process that page. <\/p>\n
When the AI reads the page as part of a routine task, such as summarizing content or reviewing an advertisement, it may unknowingly interpret those hidden instructions as legitimate commands and act on them.<\/p>\n
![\"Threat](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOvDpRZRV_-uwvZw7ojdBfN4G5hj6AQYP2JtUBD9OB595I8L_93cLp1aISbZiPstuibQE3GwnZKE1b-EsA-bJAN32sV7wQjah493lEgtyxr8M3ocMRvzGbIJJYguSvtS5TzrCQjPiQFg8ATo0EGou5ElFRNY7ryyypBpBEyVjQICrW7pdiT84DUdO5KO0\/s16000\/Threat%2520model%2520depiction%2520for%2520web-based%2520IDPI%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")
Unit 42 researchers identified that this attack<\/a> is no longer just a theory. Their analysis of large-scale real-world telemetry confirmed that IDPI attacks are actively deployed across live websites, with 22 distinct techniques documented for constructing malicious payloads. <\/p>\n Their findings also revealed previously undocumented attacker goals, including the first known real-world case of IDPI being used to bypass an AI-based advertisement review system.<\/p>\n The range of harm these attacks can cause is broad. Attackers have used IDPI to push phishing sites up in search rankings through SEO poisoning, attempt unauthorized financial transactions, force AI tools<\/a> to reveal sensitive information, and even issue server-side commands that could destroy entire databases. <\/p>\n In one observed case, a single webpage contained as many as 24 separate injection attempts, stacking multiple delivery methods to raise the odds that at least one would successfully reach the AI.<\/p>\n Across the telemetry reviewed, the most common attacker goal was producing irrelevant or disruptive AI output, accounting for 28.6% of cases, followed by data destruction at 14.2% and AI content moderation bypass at 9.5%. <\/p>\n This shows that attackers are going after AI systems<\/a> with a wide range of goals \u2014 from low-level noise generation to serious financial fraud.<\/p>\n One of the most significant findings in this research is how much effort attackers put into hiding their injected instructions. <\/p>\n Rather than dropping a simple override command into a page, they layer multiple techniques on top of one another to avoid detection by both human reviewers and automated scanners, while still ensuring the AI agent<\/a> can read and act on the content.<\/p>\n The most frequently observed delivery method, seen in 37.8% of cases, was visible plaintext \u2014 injecting the command directly into a page footer, where most users never look. <\/p>\n HTML attribute cloaking was the second most common method at 19.8%, placing the malicious prompt inside HTML tag attributes where it is invisible in the browser but readable by an AI. <\/p>\n CSS rendering suppression followed at 16.9%, with attackers making text invisible by setting font sizes to zero or pushing content far off-screen.<\/p>\n For jailbreaking \u2014 convincing the AI to obey the injected command despite safety filters \u2014 social engineering dominated, appearing in 85.2% of cases. <\/p>\n Attackers presented their instructions as if they came from a developer or administrator, using triggers like \u201cgod mode\u201d or \u201cdeveloper mode\u201d to make the model believe compliance was valid and urgent.<\/p>\n Security teams and AI developers should treat untrusted web content as a potential attack source and apply input validation wherever AI agents process external data. <\/p>\n Deploying spotlighting techniques \u2014 separating untrusted content from trusted system instructions \u2014 can reduce attack exposure. AI systems should follow least-privilege design, requiring explicit user approval before taking high-impact actions. <\/p>\n Detection tools must move beyond keyword filters to incorporate behavioral analysis and intent classification capable of catching IDPI attempts that rely on encoding schemes, obfuscation, or multilingual methods to bypass defenses.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Can Use Indirect Prompt Injection Allows Adversaries to Manipulate AI Agents with Content<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Example](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjDuCnhxn6RKHicPOnxtfz7wtTPQ4lfP43LTYSFUavZRne1Q1o6KVQ6k14pg_E9xdSU_rdSfY0uK7BwmwcNDwH6wRX2mVDywC2RdKcW4G_yKEBCog3NYjQ0Lp8OcGZjuWwA1VxAMLsI5dZMMseIav90xYMBtezavWamt0Yt08DWoCdnzJcLvEICkafUlqU\/s16000\/Example%2520of%2520Hidden%2520Prompt%2520in%2520Page%2520from%2520reviewerpress%255B.%255Dcom%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")
![\"HTML](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlQQDcPs3BmPg-ua3QyFOO2jpEhhwJIrX4boKuArR2f-0rZBoL9StVNXc2ArEU9zITVWOqxphjsy92C5oMe4WR4orWsSm4DEwzYcWGTvDaUnaHV8ka8DBbek54C9AeFOPACQqh9YjW1md7QQFC8ViyFZv91cO2X3REBvSiPACokFpNz6cCllp94JFukVI\/s16000\/HTML%2520Code%2520Excerpt%2520Showing%2520IDPI%2520from%2520reviewerpress%255B.%255Dcom%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")
How Attackers Conceal and Deliver Malicious Payloads<\/strong><\/h2>\n