<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Threat-Research - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/threat-research/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 06:05:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/threat-research/feed.xml" rel="self" type="application/rss+xml"/><item><title>CrowdStrike Uncovers New Prompt Injection Techniques</title><link>https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/</link><pubDate>Wed, 08 Jul 2026 06:05:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/</guid><description>CrowdStrike's AI security research team has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 methods, which adversaries can use to manipulate AI systems and agents through hidden context, delayed triggers, semantic constraints, boundary spoofing, and social engineering, potentially leading to agent hijacking, data exfiltration, or system compromise by causing them to execute unintended commands like shell scripts or SQL queries.</description><content:encoded><![CDATA[<p>CrowdStrike's AI security research team, in July 2026, has expanded its taxonomy of prompt injection techniques by 18 new additions, now covering over 200 distinct methods adversaries are using to manipulate AI systems. These evolving techniques reflect how prompt injection attacks are manifesting in real-world AI systems, moving beyond simple jailbreaks to more sophisticated approaches. The core delivery mechanism involves indirect prompt injection, where malicious instructions are hidden within data consumed by AI agents, or through &quot;Unwitting User Delivery&quot; (IM0005) via social engineering. The threat matters for defenders because modern AI agents can perform sensitive actions such as crawling webpages, accessing file stores, and writing shell commands. Specific new techniques include Trigger-Activated Rule Addition (PT0201) for delayed activation, Cognitive Token Suppression (PT0197) to bypass safety mechanisms, Algorithmic Payload Decomposition (PT0200) for filter evasion, and Special Token Injection (PT0198) to confuse AI system boundaries, all aiming to hijack agent capabilities and cause further damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>This brief describes new techniques for prompt injection and does not detail a specific end-to-end attack campaign from initial access to impact. The following outlines how these techniques are leveraged once an attacker introduces a malicious prompt or data to an AI system.</p>
<ol>
<li><strong>Initial Access (via Social Engineering):</strong> An adversary employs social engineering or deceptive tactics to trick an authorized user into submitting a crafted prompt, effectively turning the user into an &quot;Unwitting User Delivery&quot; (IM0005) vector. This can involve copying/pasting hidden commands or using compromised browser extensions.</li>
<li><strong>Prompt Manipulation (Algorithmic Payload Decomposition):</strong> The attacker fragments a malicious instruction into multiple benign-looking steps, variables, or characters. This &quot;Algorithmic Payload Decomposition&quot; (PT0200) technique evades immediate detection by filters.</li>
<li><strong>Bypass Defenses (Special Token Injection):</strong> The fragmented payload or a new prompt includes &quot;Special Token Injection&quot; (PT0198), mimicking internal structural cues (e.g., <code>&lt;tool_call&gt;</code>) used by the AI system to differentiate system commands from user input, causing boundary confusion and elevating untrusted content.</li>
<li><strong>Evasion (Cognitive Token Suppression):</strong> The malicious prompt attempts &quot;Cognitive Token Suppression&quot; (PT0197) by instructing the AI model to avoid using specific safety-related terms or refusal vocabulary, hindering its ability to generate secure responses or block the attack.</li>
<li><strong>Delayed Execution (Trigger-Activated Rule Addition):</strong> The attacker embeds a &quot;Trigger-Activated Rule Addition&quot; (PT0201) instruction into the AI's context. This instruction remains dormant until a specific trigger phrase, event, or condition occurs, at which point the AI agent begins to follow the new, malicious rule.</li>
<li><strong>Action on Objectives (Execution):</strong> The compromised AI agent, following the injected rules, executes unintended or malicious commands, such as an <code>execute_sql_query</code> to access sensitive data, or shell commands to interact with underlying systems.</li>
<li><strong>Impact (Data Exfiltration):</strong> The AI agent, now under adversary control, proceeds to exfiltrate data, for example, by duplicating and forwarding sensitive emails to an attacker-controlled address like <code>anon@evilcorp.corp</code>, or by accessing and leaking internal files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed impact of successful prompt injection ranges from subtle manipulation of AI behavior to significant security breaches. Adversaries can hijack agent capabilities, leading to unintended actions like executing arbitrary shell commands, performing SQL injection-like queries, or accessing and exfiltrating sensitive data. This can bypass existing security rules, steer agents into unsafe actions, and result in data loss or system compromise. While specific victim counts are not provided, the techniques target general AI systems and agents, affecting any organization deploying such technologies, especially those relying on AI for critical operations or data handling.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement robust AI threat modeling that accounts for all possible origins of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to understand potential injection points.</li>
<li>Conduct targeted AI red teaming exercises that go beyond simple &quot;ignore previous instructions&quot; and incorporate boundary mimicry, indirect injection, and delayed activation scenarios, as described by techniques like PT0198 and PT0201.</li>
<li>Monitor for and block outbound network connections from AI systems or agents to suspicious domains, such as <code>evilcorp.corp</code>, which was identified as an exfiltration target in an example for the IM0005 technique.</li>
<li>Educate users on the risks of &quot;Unwitting User Delivery&quot; (IM0005) by training them to recognize and avoid deceptive tactics that could lead to submitting malicious prompts.</li>
<li>Deploy specialized AI security solutions capable of analyzing and detecting fragmented (PT0200), suppressed (PT0197), or specially tokenized (PT0198) instructions within prompts before they are processed by AI models.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prompt-injection</category><category>ai-security</category><category>llm</category><category>agentic-ai</category><category>cloud</category><category>threat-research</category></item></channel></rss>