1.
Attacks Matrix
❱
1.1.
Introduction
1.2.
How to Contribute
1.3.
Q&A
2.
Tactics
❱
2.1.
Reconnaissance
❱
2.1.1.
Search for Victim's Publicly Available Research Materials
2.1.2.
Search Victim-Owned Websites
2.1.3.
Search for Victim's Publicly Available Code Repositories
2.1.4.
Search Application Repositories
2.1.5.
Gather RAG-Indexed Targets
2.1.6.
Active Scanning
2.2.
Resource Development
❱
2.2.1.
Commercial License Abuse
2.2.2.
LLM Prompt Crafting
2.2.3.
Acquire Infrastructure
2.2.4.
Develop Capabilities
2.2.5.
Poison Training Data
2.2.6.
Publish Hallucinated Entities
2.2.7.
Retrieval Content Crafting
2.2.8.
Establish Accounts
2.2.9.
Publish Poisoned Datasets
2.2.10.
Obtain Capabilities
2.2.11.
Publish Poisoned Models
2.2.12.
Acquire Public ML Artifacts
2.2.13.
Obtain Generative AI Capabilities
2.3.
Initial Access
❱
2.3.1.
Retrieval Tool Poisoning
2.3.2.
RAG Poisoning
2.3.3.
Compromised User
2.3.4.
Web Poisoning
2.3.5.
User Manipulation
2.3.6.
Guest User Abuse
2.3.7.
ML Supply Chain Compromise
2.3.8.
Evade ML Model
2.3.9.
Valid Accounts
2.3.10.
Exploit Public-Facing Application
2.3.11.
Phishing
2.4.
ML Model Access
❱
2.4.1.
Physical Environment Access
2.4.2.
Full ML Model Access
2.4.3.
AI Model Inference API Access
2.4.4.
ML-Enabled Product or Service
2.5.
Execution
❱
2.5.1.
User Execution
2.5.2.
LLM Plugin Compromise
2.5.3.
LLM Prompt Injection
2.5.4.
AI Click Bait
2.5.5.
Command and Scripting Interpreter
2.5.6.
Off-Target Language
2.5.7.
System Instruction Keywords
2.6.
Persistence
❱
2.6.1.
RAG Poisoning
2.6.2.
Thread Infection
2.6.3.
LLM Prompt Self-Replication
2.6.4.
Poison Training Data
2.6.5.
Backdoor ML Model
2.6.6.
Memory Infection
2.7.
Privilege Escalation
❱
2.7.1.
LLM Plugin Compromise
2.7.2.
LLM Jailbreak
2.7.3.
Off-Target Language
2.7.4.
Crescendo
2.7.5.
System Instruction Keywords
2.8.
Defense Evasion
❱
2.8.1.
URL Familiarizing
2.8.2.
LLM Trusted Output Components Manipulation
2.8.3.
Abuse Trusted Sites
2.8.4.
Blank Image
2.8.5.
Evade ML Model
2.8.6.
ASCII Smuggling
2.8.7.
LLM Prompt Obfuscation
2.8.8.
Delayed Execution
2.8.9.
Instructions Silencing
2.8.10.
False RAG Entry Injection
2.8.11.
Distraction
2.8.12.
Conditional Execution
2.8.13.
LLM Jailbreak
2.8.14.
Indirect Data Access
2.8.15.
Citation Manipulation
2.8.16.
Off-Target Language
2.8.17.
Crescendo
2.8.18.
System Instruction Keywords
2.8.19.
Citation Silencing
2.9.
Credential Access
❱
2.9.1.
Unsecured Credentials
2.9.2.
RAG Credential Harvesting
2.9.3.
Retrieval Tool Credential Harvesting
2.10.
Discovery
❱
2.10.1.
Discover ML Artifacts
2.10.2.
Discover LLM Hallucinations
2.10.3.
Discover AI Model Outputs
2.10.4.
Discover ML Model Family
2.10.5.
Failure Mode Mapping
2.10.6.
Discover ML Model Ontology
2.10.7.
Discover LLM System Information
2.10.8.
Whoami
2.10.9.
Tool Definition Discovery
2.10.10.
Embedded Knowledge Exposure
2.10.11.
Discover System Prompt
2.10.12.
Discover System Instruction Keywords
2.10.13.
Discover Special Character Sets
2.11.
Lateral Movement
❱
2.11.1.
Message Poisoning
2.11.2.
Shared Resource Poisoning
2.12.
Collection
❱
2.12.1.
Data from Information Repositories
2.12.2.
Data from Local System
2.12.3.
Thread History Harvesting
2.12.4.
RAG Data Harvesting
2.12.5.
Retrieval Tool Data Harvesting
2.12.6.
User Message Harvesting
2.12.7.
ML Artifact Collection
2.12.8.
Memory Data Hording
2.13.
ML Attack Staging
❱
2.13.1.
Craft Adversarial Data
2.13.2.
Backdoor ML Model
2.13.3.
Create Proxy ML Model
2.13.4.
Verify Attack
2.14.
Command And Control
❱
2.14.1.
Search Index C2
2.14.2.
Public Web C2
2.15.
Exfiltration
❱
2.15.1.
Write Tool Invocation
2.15.2.
Granular Web Request Triggering
2.15.3.
Abuse Trusted Sites
2.15.4.
Granular Clickable Link Rendering
2.15.5.
Web Request Triggering
2.15.6.
Exfiltration via ML Inference API
2.15.7.
Extract LLM System Prompt
2.15.8.
Image Rendering
2.15.9.
LLM Data Leakage
2.15.10.
Clickable Link Rendering
2.15.11.
Exfiltration via Cyber Means
2.16.
Impact
❱
2.16.1.
External Harms
2.16.2.
Cost Harvesting
2.16.3.
Evade ML Model
2.16.4.
Erode ML Model Integrity
2.16.5.
Spamming ML System with Chaff Data
2.16.6.
Mutative Tool Invocation
2.16.7.
Erode Dataset Integrity
2.16.8.
Denial of ML Service
3.
Procedures
❱
3.1.
Data Exfiltration from Slack AI via indirect prompt injection
3.2.
Exfiltration of personal information from ChatGPT via prompt injection
3.3.
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
3.4.
Copilot M365 Lures Victims Into a Phishing Site
3.5.
spAIware
3.6.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
3.7.
X Bot Exposing Itself After Training on a Poisoned Github Repository
3.8.
ChatGPT and Gemini jailbreak using the Crescendo technique
3.9.
Financial Transaction Hijacking With M365 Copilot As An Insider
3.10.
EchoLeak: Zero-Click Data Exfiltration using M365 Copilot
3.11.
AI ClickFix: Hijacking Computer-Use Agents Using ClickFix
3.12.
Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
3.13.
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
4.
Platforms
❱
4.1.
Microsoft Copilot
4.2.
ChatGPT
4.3.
Gemini
4.4.
Claude
4.5.
Microsoft Copilot for M365
4.6.
SlackAI
4.7.
GitHub Copilot
5.
Mitigations
❱
5.1.
Information Flow Control
5.2.
LLM Activations
5.3.
Content Security Policy
5.4.
URL Anchoring
5.5.
Spotlighting
5.6.
Index-Based Browsing
6.
Entities
❱
6.1.
Ahmed Salem
6.2.
Dmitry Lozovoy
6.3.
Michael Bargury
6.4.
Lana Salameh
6.5.
Tamir Ishay Sharbat
6.6.
Riley Goodside
6.7.
Simon Willison
6.8.
Jonathan Cefalu
6.9.
Ayush RoyChowdhury
6.10.
Johann Rehberger
6.11.
Pliny
6.12.
Gal Malka
6.13.
Mark Russinovich
6.14.
PromptArmor
6.15.
Ronen Eldan
6.16.
Gregory Schwartzman
6.17.
Aim Security
Light
Rust
Coal
Navy
Ayu
AI Agents Attack Matrix
Entities
Ahmed Salem
Dmitry Lozovoy
Michael Bargury
Lana Salameh
Tamir Ishay Sharbat
Riley Goodside
Simon Willison
Jonathan Cefalu
Ayush RoyChowdhury
Johann Rehberger
Pliny
Gal Malka
Mark Russinovich
PromptArmor
Ronen Eldan
Gregory Schwartzman
Aim Security