<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Jailbreak - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/jailbreak/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 27 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/jailbreak/feed.xml" rel="self" type="application/rss+xml"/><item><title>M365 Copilot Impersonation Jailbreak Attempt Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-27-m365-copilot-jailbreak/</link><pubDate>Sat, 27 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-27-m365-copilot-jailbreak/</guid><description>This detection identifies M365 Copilot impersonation and roleplay jailbreak attempts by analyzing exported eDiscovery prompt logs, searching for users manipulating the AI into adopting alternate personas or bypassing safety controls via roleplay keywords, categorizing specific impersonation types to identify persona injection attacks.</description><content:encoded><![CDATA[<p>This detection identifies attempts to jailbreak Microsoft 365 Copilot by manipulating the AI's persona. Users attempt to circumvent safety controls and acceptable use policies by prompting Copilot to adopt alternate identities or unrestricted behaviors. The activity is detected by analyzing exported eDiscovery prompt logs for specific keywords and phrases indicative of roleplay or impersonation requests. This includes prompts instructing the AI to &quot;pretend you are,&quot; &quot;act as,&quot; or adopt amoral stances. The detection categorizes these prompts into types such as &quot;AI_Impersonation,&quot; &quot;Malicious_AI_Persona,&quot; and &quot;Unrestricted_AI_Persona&quot; to pinpoint efforts to override the AI's guardrails through persona injection attacks. This matters because successful jailbreaks can lead to Copilot generating harmful or inappropriate content, revealing sensitive information, or performing unauthorized actions, potentially impacting organizational security and compliance. The detection utilizes prompt logs exported from M365 eDiscovery.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User crafts a prompt containing roleplay keywords (e.g., &quot;pretend you are,&quot; &quot;act as,&quot; &quot;amoral&quot;).</li>
<li>The prompt is submitted to M365 Copilot through a supported application (e.g., Teams, Word).</li>
<li>Copilot processes the prompt and generates a response based on the instruction.</li>
<li>The prompt and response are logged within the M365 environment.</li>
<li>An administrator or security analyst exports eDiscovery prompt logs from the Microsoft Purview compliance portal.</li>
<li>The exported logs, containing fields like Subject_Title (prompt text) and Sender, are ingested into a SIEM or security analytics platform.</li>
<li>The detection rule identifies prompts matching the defined impersonation patterns and categorizes the impersonation type.</li>
<li>If successful, the attacker gains the ability to influence Copilot's behavior beyond intended boundaries, potentially extracting sensitive data or generating malicious content.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful M365 Copilot jailbreak can lead to several negative consequences. The AI might generate responses that violate compliance regulations, reveal confidential company information, or be used to craft phishing emails or social engineering attacks. While specific victim counts are unavailable, organizations that heavily rely on M365 Copilot for sensitive tasks are at heightened risk. If the attack succeeds, the AI's output is no longer trustworthy, potentially damaging brand reputation, incurring legal penalties, and compromising internal security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure Microsoft Purview eDiscovery to export M365 Copilot prompt logs, capturing user interactions and prompts (as described in <code>how_to_implement</code>).</li>
<li>Deploy the Sigma rule <code>M365 Copilot Impersonation Jailbreak Attack</code> to your SIEM and tune the <code>m365_copilot_impersonation_jailbreak_attack_filter</code> macro to reduce false positives based on your environment.</li>
<li>Investigate alerts generated by the Sigma rule, focusing on users with high-risk scores as identified by the RBA message <code>User $user$ attempted M365 Copilot impersonation jailbreak with impersonation type $impersonation_type$</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>copilot</category><category>jailbreak</category><category>ai</category><category>persona-injection</category></item><item><title>Ollama API Prompt Injection and Jailbreak Attempts</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-ollama-prompt-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-ollama-prompt-injection/</guid><description>Detects potential prompt injection and jailbreak attempts against Ollama API endpoints by identifying requests with abnormally long response times, indicative of attackers crafting complex prompts to bypass AI safety controls.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting prompt injection and jailbreak attempts targeting Ollama, an open-source framework for running large language models (LLMs) locally. Attackers are increasingly targeting LLMs with crafted prompts designed to bypass safety controls, extract sensitive information, or manipulate model behavior. This is achieved by injecting malicious instructions into user queries, leading to unintended or harmful outputs. The detection identifies suspicious activity against Ollama API endpoints (/api/generate and /v1/chat/completions) by monitoring response times. Requests exceeding 30 seconds, coupled with high request frequency, may indicate a sophisticated jailbreak attempt, multi-stage prompt injection, or extraction of sensitive data from the model. Defenders should be aware of this emerging threat to maintain the integrity and security of their LLM deployments. The provided Sigma rules and recommendations enable proactive monitoring and alerting for these types of attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an Ollama instance exposed via API endpoints such as <code>/api/generate</code> or <code>/v1/chat/completions</code>.</li>
<li>The attacker crafts a malicious prompt designed to bypass safety filters or extract sensitive information (prompt injection).</li>
<li>The attacker sends the crafted prompt to the Ollama API endpoint via an HTTP POST request.</li>
<li>The Ollama server processes the complex prompt, leading to extended processing times.</li>
<li>The server logs the request details, including the URI path, source IP, HTTP method, response code, and response time.</li>
<li>A successful jailbreak or prompt injection may allow the attacker to extract internal data, manipulate model behavior, or bypass security controls.</li>
<li>The attacker repeats the process, refining the prompt based on previous responses.</li>
<li>The attacker potentially leverages the compromised Ollama instance for further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful prompt injection attacks against Ollama instances can lead to several critical impacts. Attackers may be able to extract sensitive data, manipulate the model to generate harmful or biased content, or bypass security controls designed to prevent misuse. While the specific number of victims is unknown, the increasing adoption of LLMs makes this a significant concern for organizations across various sectors. If successful, these attacks can compromise data confidentiality, integrity, and availability, leading to reputational damage and financial losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Ollama Suspicious Long Request</code> to detect abnormally long response times indicative of prompt injection attempts. Enable Ollama server logging to capture the required data (response times, URI paths, source IPs) and configure Splunk TA-ollama to ingest the logs (sourcetype: <code>ollama:server</code>).</li>
<li>Investigate alerts triggered by the <code>Ollama Suspicious Long Request</code> rule, focusing on the source IP address (<code>src</code>) and the requested URI (<code>uri_path</code>) to understand the nature of the interaction with the Ollama API.</li>
<li>Implement rate limiting and input validation on Ollama API endpoints to mitigate the risk of prompt injection attacks.</li>
<li>Regularly review and update Ollama's safety filters and security configurations to address emerging prompt injection techniques.</li>
<li>Monitor <code>status_code</code> values in the logs for unusual HTTP response codes that might indicate errors or vulnerabilities being exploited during prompt processing.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ollama</category><category>prompt-injection</category><category>jailbreak</category><category>ai-security</category></item><item><title>Microsoft 365 Copilot Jailbreak Attempts via Prompt Injection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-jailbreak/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-m365-copilot-jailbreak/</guid><description>This detection identifies Microsoft 365 Copilot jailbreak attempts by detecting prompt injection techniques within exported eDiscovery prompt logs to circumvent built-in safety controls.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk of prompt injection attacks targeting Microsoft 365 Copilot. Attackers attempt to bypass safety controls and manipulate the AI's behavior through crafted prompts. The attacks leverage techniques such as rule manipulation, system bypass commands, and AI impersonation requests. Defenders need to monitor for these jailbreak attempts because successful prompt injections could lead to data exfiltration, policy violations, or other unauthorized activities within the M365 environment. The detection focuses on analyzing exported eDiscovery prompt logs, specifically the Subject_Title field, to identify prompts containing jailbreak keywords.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious prompt containing jailbreak keywords (e.g., &quot;pretend you are&quot;, &quot;act as&quot;, &quot;rules=&quot;, &quot;ignore&quot;, &quot;bypass&quot;, &quot;override&quot;).</li>
<li>The attacker submits the crafted prompt to Microsoft 365 Copilot.</li>
<li>The prompt is processed by Copilot, and an entry is logged in the M365 eDiscovery prompt logs, including the prompt text in the Subject_Title field.</li>
<li>An analyst exports the M365 eDiscovery prompt logs from the Microsoft Purview compliance portal.</li>
<li>The exported logs are ingested into a security information and event management (SIEM) system for analysis.</li>
<li>The SIEM searches the Subject_Title field for jailbreak keywords.</li>
<li>A risk score is assigned to the prompt based on the type of manipulation attempted.</li>
<li>If the jailbreak score meets or exceeds a predefined threshold, an alert is triggered.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful prompt injection attacks on Microsoft 365 Copilot can lead to various negative consequences, including data exfiltration, unauthorized access to sensitive information, violation of acceptable use policies, and the potential for the AI to generate harmful or misleading content. The number of victims depends on the scope of the compromised Copilot instance and the attacker's objectives. The sectors targeted would be any utilizing M365 Copilot.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure Microsoft Purview eDiscovery to export M365 Copilot prompt logs to a SIEM for analysis as described in the &quot;how_to_implement&quot; section of the source detection.</li>
<li>Deploy the provided Sigma rules to your SIEM to detect jailbreak attempts based on prompt injection techniques, tuning the threshold based on your environment.</li>
<li>Investigate triggered alerts, focusing on prompts with high jailbreak scores, to assess the potential impact and implement appropriate remediation measures.</li>
<li>Review and update M365 Copilot acceptable use policies to explicitly address the risks associated with prompt injection attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prompt-injection</category><category>jailbreak</category><category>microsoft365</category></item><item><title>Detection of M365 Copilot Jailbreak Attempts via Prompt Injection</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-m365-copilot-jailbreak/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-m365-copilot-jailbreak/</guid><description>This detection identifies attempts to jailbreak M365 Copilot by using prompt injection techniques to bypass safety controls and manipulate system behavior, potentially violating acceptable use policies.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of jailbreak attempts targeting Microsoft 365 Copilot. Attackers use prompt injection techniques to circumvent built-in safety controls. These attempts involve manipulating the AI's behavior through direct instruction, such as rule manipulation, system bypass commands, and unauthorized persona adoption. The attacks are identified by analyzing eDiscovery prompt logs for specific keywords associated with jailbreaking, including &quot;pretend you are,&quot; &quot;act as,&quot; &quot;rules=,&quot; &quot;ignore,&quot; &quot;bypass,&quot; and &quot;override.&quot; Successful jailbreak attempts can enable unauthorized access, data exfiltration, and policy violations, potentially leading to significant security breaches. This activity is detected by Splunk ES using the &quot;M365 Copilot Jailbreak Attempts&quot; detection rule.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious prompt containing jailbreaking keywords (e.g., &quot;ignore all previous rules&quot;).</li>
<li>The crafted prompt is submitted to M365 Copilot through a supported application.</li>
<li>M365 Copilot processes the prompt and attempts to fulfill the request, potentially bypassing safety controls.</li>
<li>The eDiscovery logs capture the prompt text in the <code>Subject_Title</code> field, along with user and timestamp information.</li>
<li>A security monitoring system, such as Splunk, ingests the eDiscovery logs.</li>
<li>The detection rule identifies prompts containing jailbreak keywords and assigns a severity score.</li>
<li>If the jailbreak score meets or exceeds a predefined threshold, an alert is triggered.</li>
<li>The attacker gains unauthorized control over Copilot's behavior, potentially leading to data exfiltration or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful jailbreak of M365 Copilot can lead to several negative outcomes. It allows attackers to bypass the intended safety measures and manipulate Copilot for unauthorized purposes. This can result in the exposure of sensitive information, violation of data governance policies, and potentially the execution of malicious commands within the M365 environment. The exact scope of impact depends on the level of access granted to Copilot and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and configure M365 eDiscovery to capture Copilot prompt logs, ensuring the <code>Subject_Title</code>, <code>Sender</code>, timestamps, and workload metadata are included.</li>
<li>Deploy the provided Sigma rule <code>M365 Copilot Jailbreak Attempts</code> to your SIEM and tune the <code>jailbreak_score</code> threshold based on your environment.</li>
<li>Investigate any alerts generated by the rule, focusing on the <code>user</code>, <code>Subject_Title</code>, and <code>jailbreak_score</code> fields to understand the nature of the attempted jailbreak.</li>
<li>Implement user awareness training to educate employees about the risks of prompt injection and social engineering attacks targeting AI assistants.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>m365</category><category>copilot</category><category>jailbreak</category><category>prompt-injection</category><category>anomaly</category></item></channel></rss>