<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AI Agents - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ai-agents/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 07:51:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ai-agents/feed.xml" rel="self" type="application/rss+xml"/><item><title>CrowdStrike Uncovers New Prompt Injection Techniques</title><link>https://feed.craftedsignal.io/briefs/2026-07-prompt-injection/</link><pubDate>Wed, 08 Jul 2026 07:51:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-prompt-injection/</guid><description>CrowdStrike's AI security research team has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 methods, which enable adversaries to manipulate AI systems and agents through indirect means like hidden context, delayed triggers, and special token injection, leading to unauthorized actions such as data exfiltration or arbitrary command execution.</description><content:encoded><![CDATA[<p>CrowdStrike's AI security research team has recently uncovered 18 new prompt injection techniques, significantly expanding their taxonomy to over 200 distinct methods observed in real-world AI systems. This development highlights the escalating sophistication of adversaries in manipulating AI agents and Large Language Models (LLMs). These advanced techniques allow attackers to bypass security mechanisms by exploiting hidden context, delayed triggers, semantic constraints, and structural cues, rather than overt jailbreaks. This can lead to AI agents being tricked into performing unauthorized actions, such as executing shell commands, exfiltrating sensitive data, or altering their internal rules. The insights are crucial for defenders as organizations increasingly adopt powerful AI agents that interact with critical resources like web pages, file stores, and internal systems, making robust AI threat modeling and red teaming essential to counter these evolving threats.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker Crafts Malicious Prompt</strong>: Adversary designs a prompt containing hidden or fragmented malicious instructions, using techniques like &quot;Trigger-Activated Rule Addition,&quot; &quot;Cognitive Token Suppression,&quot; &quot;Algorithmic Payload Decomposition,&quot; or &quot;Special Token Injection.&quot;</li>
<li><strong>Delivery via Unwitting User</strong>: The malicious prompt is delivered to an AI agent, often through social engineering, where an authorized user is enticed to input the prompt into the AI system without realizing its true intent, such as copying from a compromised website or social media post.</li>
<li><strong>AI Agent Processes Input</strong>: The AI agent, designed to follow user instructions, processes the maliciously crafted prompt, which includes the hidden or fragmented commands.</li>
<li><strong>Injection Technique Activation</strong>: The embedded prompt injection technique successfully manipulates the AI's internal logic, causing it to misinterpret or prioritize the attacker's directives over its safety guidelines or original instructions. For example, a hidden rule is activated, or safety-related tokens are suppressed.</li>
<li><strong>Unauthorized Tool Call/Action</strong>: The compromised AI agent initiates an unauthorized action based on the injected instructions, such as making tool calls to <code>execute_sql_query</code>, generating unexpected responses, or attempting to write shell commands.</li>
<li><strong>Data Exfiltration or Impact</strong>: The AI agent, under the attacker's control, exfiltrates sensitive data (e.g., forwarding emails to <code>anon@evilcorp.corp</code>), modifies system configurations, or performs other actions impacting confidentiality, integrity, or availability.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The described prompt injection techniques enable adversaries to achieve significant impact on organizations leveraging AI agents. If successful, these attacks can lead to unauthorized data exfiltration, as demonstrated by the example of emails being duplicated and forwarded to attacker-controlled addresses. AI agents could be coerced into executing arbitrary shell commands, granting attackers remote code execution capabilities on underlying infrastructure. Furthermore, the manipulation of AI agents could result in the bypass of security controls, altered system behavior, and the generation of misleading or harmful content, leading to reputational damage, financial loss, and compromise of critical systems. These attacks target any organization integrating AI agents with access to internal systems or sensitive data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize comprehensive AI threat modeling that accounts for all potential sources of model context, including prompts, files, RAG pipelines, and external APIs.</li>
<li>Enhance AI red teaming exercises to include advanced prompt injection techniques such as boundary mimicry, indirect injection, and delayed activation, beyond simple jailbreaking attempts.</li>
<li>Configure AI agent logging to capture tool calls and system interactions, and deploy the provided Sigma rule to detect suspicious outbound network connections to domains like <code>evilcorp.corp</code>.</li>
<li>Educate users about the risks of &quot;Unwitting User Delivery&quot; and social engineering tactics that entice them to input malicious prompts into AI systems.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prompt-injection</category><category>ai</category><category>llm</category><category>ai-security</category><category>cloud</category><category>novel-technique</category></item><item><title>CrowdStrike Uncovers New Prompt Injection Techniques</title><link>https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/</link><pubDate>Wed, 08 Jul 2026 06:05:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/</guid><description>CrowdStrike's AI security research team has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 methods, which adversaries can use to manipulate AI systems and agents through hidden context, delayed triggers, semantic constraints, boundary spoofing, and social engineering, potentially leading to agent hijacking, data exfiltration, or system compromise by causing them to execute unintended commands like shell scripts or SQL queries.</description><content:encoded><![CDATA[<p>CrowdStrike's AI security research team, in July 2026, has expanded its taxonomy of prompt injection techniques by 18 new additions, now covering over 200 distinct methods adversaries are using to manipulate AI systems. These evolving techniques reflect how prompt injection attacks are manifesting in real-world AI systems, moving beyond simple jailbreaks to more sophisticated approaches. The core delivery mechanism involves indirect prompt injection, where malicious instructions are hidden within data consumed by AI agents, or through &quot;Unwitting User Delivery&quot; (IM0005) via social engineering. The threat matters for defenders because modern AI agents can perform sensitive actions such as crawling webpages, accessing file stores, and writing shell commands. Specific new techniques include Trigger-Activated Rule Addition (PT0201) for delayed activation, Cognitive Token Suppression (PT0197) to bypass safety mechanisms, Algorithmic Payload Decomposition (PT0200) for filter evasion, and Special Token Injection (PT0198) to confuse AI system boundaries, all aiming to hijack agent capabilities and cause further damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>This brief describes new techniques for prompt injection and does not detail a specific end-to-end attack campaign from initial access to impact. The following outlines how these techniques are leveraged once an attacker introduces a malicious prompt or data to an AI system.</p>
<ol>
<li><strong>Initial Access (via Social Engineering):</strong> An adversary employs social engineering or deceptive tactics to trick an authorized user into submitting a crafted prompt, effectively turning the user into an &quot;Unwitting User Delivery&quot; (IM0005) vector. This can involve copying/pasting hidden commands or using compromised browser extensions.</li>
<li><strong>Prompt Manipulation (Algorithmic Payload Decomposition):</strong> The attacker fragments a malicious instruction into multiple benign-looking steps, variables, or characters. This &quot;Algorithmic Payload Decomposition&quot; (PT0200) technique evades immediate detection by filters.</li>
<li><strong>Bypass Defenses (Special Token Injection):</strong> The fragmented payload or a new prompt includes &quot;Special Token Injection&quot; (PT0198), mimicking internal structural cues (e.g., <code>&lt;tool_call&gt;</code>) used by the AI system to differentiate system commands from user input, causing boundary confusion and elevating untrusted content.</li>
<li><strong>Evasion (Cognitive Token Suppression):</strong> The malicious prompt attempts &quot;Cognitive Token Suppression&quot; (PT0197) by instructing the AI model to avoid using specific safety-related terms or refusal vocabulary, hindering its ability to generate secure responses or block the attack.</li>
<li><strong>Delayed Execution (Trigger-Activated Rule Addition):</strong> The attacker embeds a &quot;Trigger-Activated Rule Addition&quot; (PT0201) instruction into the AI's context. This instruction remains dormant until a specific trigger phrase, event, or condition occurs, at which point the AI agent begins to follow the new, malicious rule.</li>
<li><strong>Action on Objectives (Execution):</strong> The compromised AI agent, following the injected rules, executes unintended or malicious commands, such as an <code>execute_sql_query</code> to access sensitive data, or shell commands to interact with underlying systems.</li>
<li><strong>Impact (Data Exfiltration):</strong> The AI agent, now under adversary control, proceeds to exfiltrate data, for example, by duplicating and forwarding sensitive emails to an attacker-controlled address like <code>anon@evilcorp.corp</code>, or by accessing and leaking internal files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed impact of successful prompt injection ranges from subtle manipulation of AI behavior to significant security breaches. Adversaries can hijack agent capabilities, leading to unintended actions like executing arbitrary shell commands, performing SQL injection-like queries, or accessing and exfiltrating sensitive data. This can bypass existing security rules, steer agents into unsafe actions, and result in data loss or system compromise. While specific victim counts are not provided, the techniques target general AI systems and agents, affecting any organization deploying such technologies, especially those relying on AI for critical operations or data handling.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement robust AI threat modeling that accounts for all possible origins of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to understand potential injection points.</li>
<li>Conduct targeted AI red teaming exercises that go beyond simple &quot;ignore previous instructions&quot; and incorporate boundary mimicry, indirect injection, and delayed activation scenarios, as described by techniques like PT0198 and PT0201.</li>
<li>Monitor for and block outbound network connections from AI systems or agents to suspicious domains, such as <code>evilcorp.corp</code>, which was identified as an exfiltration target in an example for the IM0005 technique.</li>
<li>Educate users on the risks of &quot;Unwitting User Delivery&quot; (IM0005) by training them to recognize and avoid deceptive tactics that could lead to submitting malicious prompts.</li>
<li>Deploy specialized AI security solutions capable of analyzing and detecting fragmented (PT0200), suppressed (PT0197), or specially tokenized (PT0198) instructions within prompts before they are processed by AI models.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prompt-injection</category><category>ai-security</category><category>llm</category><category>agentic-ai</category><category>cloud</category><category>threat-research</category></item></channel></rss>