Uncover real-world indirect prompt injection attacks and learn how adversaries weaponize hidden web content to exploit LLMs for high-impact fraud.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Researchers from Palo Alto Networks Unit 42 present the first documented real-world cases of indirect prompt injection (IDPI) attacks observed in the wild. Unlike direct prompt injection, IDPI embeds hidden or manipulated instructions within web content that AI agents later consume, causing them to execute attacker-controlled commands. The research documents 12 real-world cases spanning attacker intents from low-severity (irrelevant output, resource exhaustion) to critical (data destruction, DoS via fork bomb, sensitive information leakage). A notable first is an AI-based ad review bypass where a scam page used 24 distinct injection attempts to trick an LLM ad-checker into approving fraudulent content. The paper provides a detailed taxonomy of 22 payload engineering techniques including visual concealment (zero-sizing, off-screen positioning, CSS suppression), obfuscation (SVG/XML encapsulation, HTML attribute cloaking), dynamic runtime assembly, and jailbreak methods (invisible characters, homoglyph substitution, multilingual instructions, social engineering). Telemetry analysis shows social engineering dominates jailbreak methods (85.2%), visible plaintext is the most common delivery method (37.8%), and irrelevant output is the top attacker intent (28.6%). Defenses discussed include spotlighting, instruction hierarchy, adversarial training, and design-level mitigations.

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

The First Real-World AI Ad Review Bypass with IDPI