Description

CrowdStrike has expanded its prompt injection taxonomy with 18 new techniques, increasing the total to more than 200 documented attack methods, highlighting the growing security risks associated with enterprise AI agents. As organizations deploy AI systems capable of accessing files, executing commands, interacting with APIs, and automating workflows, prompt injection has become a critical threat. Unlike direct attacks, these techniques often exploit indirect vectors by embedding hidden instructions in trusted sources like web pages, emails, APIs, SaaS platforms, or retrieved data. Once processed by AI agents, these hidden prompts can manipulate model behavior, bypass safeguards, and trigger unauthorized actions without the user's awareness. The initial attack phase focuses on concealing malicious instructions within trusted content. Trigger-Activated Rule Addition (PT0201) inserts dormant instructions that activate only when specific keywords or conditions are met, making detection difficult. Algorithmic Payload Decomposition (PT0200) breaks harmful commands into harmless-looking fragments that the AI later reconstructs into executable instructions, bypassing traditional filters. Special Token Injection (PT0198) exploits formatting cues and structural delimiters to disguise user input as system-level instructions or tool commands, potentially gaining higher execution priority. The next phase targets AI reasoning and trusted users. Cognitive Token Suppression (PT0197) restricts the model's use of safety-related vocabulary, reducing its ability to generate strong refusal responses and increasing the likelihood of unsafe outputs. Unwitting User Delivery (IM0005) uses social engineering to trick users into submitting malicious prompts through copied text, embedded media, or compromised browser extensions. Since these prompts originate from authenticated users, they are harder to detect and enables unauthorized actions across enterprise environments. Organizations should strengthen AI threat modeling, conduct advanced red teaming, monitor prompt and response activity in real time, enforce security policies across AI workflows, and implement behavioral detection to identify and mitigate multi-stage prompt injection attacks before they compromise enterprise AI systems.