ATR-2026-00002highPrompt Injectionexperimental

Indirect Prompt Injection via External Content

Detects indirect prompt injection where malicious instructions are embedded within external content consumed by the agent -- documents, web pages, API responses, emails, or tool outputs. Detection layers cover: HTML comment injection with instruction-like content, zero-width character obfuscation (requiring 5+ consecutive chars to reduce false positives on legitimate multilingual text), model-specific special tokens, CSS- hidden text with injection payloads, invisible text addressing the AI agent directly, base64/encoding within content, data URI injection, markdown link abuse, hidden HTML elements, and white-on-white text techniques.

Severity

high

Response Actions

block inputalertsnapshotescalate

References

CVE

CVE-2024-5184 CVE-2024-22524 CVE-2025-32711 CVE-2026-24307

OWASP Agentic

ASI01:2026 - Agent Goal HijackASI06:2026 - Memory and Context Poisoning

OWASP LLM

LLM01:2025 - Prompt Injection

MITRE ATLAS

AML.T0051 - LLM Prompt InjectionAML.T0051.001 - Indirect

View full YAML on GitHub →

More Prompt Injection Rules

ATR-2026-00001highDirect Prompt Injection via User Input ATR-2026-00003highJailbreak Attempt Detection ATR-2026-00004criticalSystem Prompt Override Attempt ATR-2026-00005mediumMulti-Turn Prompt Injection ATR-2026-00080highEncoding-Based Prompt Injection Evasion