ATR-2026-00005mediumPrompt Injectionexperimental

Multi-Turn Prompt Injection

Detects multi-turn prompt injection where an attacker gradually manipulates the agent across conversation turns. Rather than using unsupported behavioral operators, this rule uses regex-based detection of linguistic markers that appear in multi-turn attacks: trust-building phrases followed by escalation, incremental boundary-pushing language, false references to prior agreement, context anchoring and gaslighting, progressive request escalation patterns, refusal fatigue phrases, and conversation history manipulation. Each pattern targets a specific phase of the multi-turn attack lifecycle using only the regex operator for engine compatibility.

Severity

medium

Response Actions

alertsnapshotescalate

References

OWASP Agentic

ASI01:2026 - Agent Goal Hijack

OWASP LLM

LLM01:2025 - Prompt Injection

MITRE ATLAS

AML.T0051 - LLM Prompt InjectionAML.T0043 - Craft Adversarial Data

View full YAML on GitHub →

More Prompt Injection Rules

ATR-2026-00001highDirect Prompt Injection via User Input ATR-2026-00002highIndirect Prompt Injection via External Content ATR-2026-00003highJailbreak Attempt Detection ATR-2026-00004criticalSystem Prompt Override Attempt ATR-2026-00080highEncoding-Based Prompt Injection Evasion