Skip to content
Threat Feed
medium advisory

CrowdStrike Uncovers New Prompt Injection Techniques Targeting AI Agents

Adversaries are leveraging sophisticated prompt injection techniques, including hidden rules, token suppression, payload decomposition, and special token injection, against AI agents to manipulate their behavior, bypass safety mechanisms, and achieve objectives such as data exfiltration or arbitrary command execution, posing a critical threat to AI-powered systems.

CrowdStrike’s AI security research team has uncovered 18 new prompt injection techniques, expanding their taxonomy to over 200 distinct methods, reflecting the evolving landscape of adversarial AI. These techniques enable attackers to manipulate AI agents by exploiting language, context, and data trusted by these systems. As organizations deploy more powerful AI agents capable of web crawling, file access, and even shell command execution, indirect prompt injection has emerged as a critical threat vector. Attackers can hide these injections within the data consumed by AI agents, allowing them to hijack agent capabilities for malicious purposes. This brief highlights five specific techniques: Trigger-Activated Rule Addition (PT0201), Cognitive Token Suppression (PT0197), Algorithmic Payload Decomposition (PT0200), Special Token Injection (PT0198), and Unwitting User Delivery (IM0005).

Attack Chain

  1. Preparation of Malicious Prompt: Attacker crafts a prompt using techniques like "Trigger-Activated Rule Addition", "Cognitive Token Suppression", "Algorithmic Payload Decomposition", or "Special Token Injection" to embed hidden or fragmented instructions designed to manipulate the AI agent.
  2. Delivery of Malicious Prompt: The specially crafted input is delivered to the AI agent, either directly by an unsuspecting user (via "Unwitting User Delivery" through social engineering) or indirectly through data the agent processes, such as a malicious file or webpage crawled by the agent.
  3. AI Agent Ingestion and Interpretation: The AI agent ingests the provided data or prompt, attempting to interpret and integrate the attacker's hidden instructions into its current operational context or memory, often without recognizing the malicious intent.
  4. Bypass of Safety Mechanisms: The embedded malicious instructions, such as those leveraging "Cognitive Token Suppression" or "Algorithmic Payload Decomposition", cause the AI agent to bypass its internal safety filters, refusal policies, or content moderation, clearing the way for unintended actions.
  5. Execution of Malicious Instructions: The AI agent, now compromised or manipulated, executes the attacker's hidden directives. For "Trigger-Activated Rule Addition", this step occurs when a specific future event, phrase, or condition during the AI's operation activates the embedded malicious instruction.
  6. Achievement of Attacker Objective: The AI agent's manipulated behavior leads to the attacker's objective, which can include data exfiltration (e.g., sending emails to an attacker-controlled address), arbitrary command execution (e.g., SQL queries), or generating harmful content (e.g., instructions for unsafe activities).

Impact

The described prompt injection techniques enable adversaries to achieve a range of malicious outcomes, turning AI agents into tools for attackers. Observed impacts include the manipulation of AI system behavior, bypassing of critical safety and refusal mechanisms, data exfiltration from sensitive systems, and the execution of arbitrary commands or queries within the agent's environment. The examples demonstrate potential for sensitive employee data exfiltration, generation of dangerous instructions, and direct database manipulation, highlighting that these are critical threat vectors for organizations relying on AI agents.

Recommendation

  • Implement robust AI threat modeling that encompasses all potential sources of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to identify and mitigate prompt injection risks.
  • Expand AI red teaming exercises beyond basic "ignore previous instructions" scenarios to include advanced techniques like boundary mimicry, indirect injection, delayed activation, and uncommon substitutions, as described in CrowdStrike's new taxonomy.