1.
Attacks Matrix
❱
1.1.
Introduction
1.2.
How to Contribute
1.3.
Q&A
2.
Tactics
❱
2.1.
Reconnaissance
❱
2.1.1.
Gather RAG-Indexed Targets
2.1.2.
Search Victim-Owned Websites
2.1.3.
Search for Victim's Publicly Available Research Materials
2.1.4.
Search for Victim's Publicly Available Code Repositories
2.1.5.
Search Application Repositories
2.1.6.
Active Scanning
2.2.
Resource Development
❱
2.2.1.
Commercial License Abuse
2.2.2.
Obtain Capabilities
2.2.3.
LLM Prompt Crafting
2.2.4.
Publish Poisoned Datasets
2.2.5.
Publish Hallucinated Entities
2.2.6.
Establish Accounts
2.2.7.
Acquire Infrastructure
2.2.8.
Acquire Public ML Artifacts
2.2.9.
Develop Capabilities
2.2.10.
Publish Poisoned Models
2.2.11.
Poison Training Data
2.3.
Initial Access
❱
2.3.1.
RAG Poisoning
2.3.2.
ML Supply Chain Compromise
2.3.3.
Evade ML Model
2.3.4.
Retrieval Content Crafting
2.3.5.
User Manipulation
2.3.6.
Retrieval Tool Poisoning
2.3.7.
Phishing
2.3.8.
Compromised User
2.3.9.
Guest User Abuse
2.3.10.
Valid Accounts
2.3.11.
Web Poisoning
2.3.12.
Exploit Public-Facing Application
2.4.
ML Model Access
❱
2.4.1.
Full ML Model Access
2.4.2.
AI Model Inference API Access
2.4.3.
ML-Enabled Product or Service
2.4.4.
Physical Environment Access
2.5.
Execution
❱
2.5.1.
LLM Plugin Compromise
2.5.2.
LLM Prompt Injection
2.5.3.
Command and Scripting Interpreter
2.5.4.
User Execution
2.5.5.
Off-Target Language
2.5.6.
System Instruction Keywords
2.6.
Persistence
❱
2.6.1.
RAG Poisoning
2.6.2.
Thread Infection
2.6.3.
Resource Poisoning
2.6.4.
LLM Prompt Self-Replication
2.6.5.
Backdoor ML Model
2.6.6.
Memory Infection
2.6.7.
Poison Training Data
2.7.
Privilege Escalation
❱
2.7.1.
LLM Plugin Compromise
2.7.2.
LLM Jailbreak
2.7.3.
Off-Target Language
2.7.4.
System Instruction Keywords
2.7.5.
Crescendo
2.8.
Defense Evasion
❱
2.8.1.
Blank Image
2.8.2.
Instructions Silencing
2.8.3.
Distraction
2.8.4.
Evade ML Model
2.8.5.
False RAG Entry Injection
2.8.6.
LLM Prompt Obfuscation
2.8.7.
ASCII Smuggling
2.8.8.
Conditional Execution
2.8.9.
LLM Jailbreak
2.8.10.
Delayed Execution
2.8.11.
Indirect Data Access
2.8.12.
URL Familiarizing
2.8.13.
LLM Trusted Output Components Manipulation
2.8.14.
Off-Target Language
2.8.15.
Citation Manipulation
2.8.16.
Citation Silencing
2.8.17.
System Instruction Keywords
2.8.18.
Crescendo
2.9.
Credential Access
❱
2.9.1.
Unsecured Credentials
2.9.2.
RAG Credential Harvesting
2.9.3.
Retrieval Tool Credential Harvesting
2.10.
Discovery
❱
2.10.1.
Discover ML Model Family
2.10.2.
Discover LLM Hallucinations
2.10.3.
Whoami
2.10.4.
Discover LLM System Information
2.10.5.
Failure Mode Mapping
2.10.6.
Discover ML Model Ontology
2.10.7.
Discover ML Artifacts
2.10.8.
Discover AI Model Outputs
2.10.9.
Embedded Knowledge Exposure
2.10.10.
Tool Definition Discovery
2.10.11.
Discover System Prompt
2.10.12.
Discover Special Character Sets
2.10.13.
Discover System Instruction Keywords
2.11.
Lateral Movement
❱
2.11.1.
Shared Resource Poisoning
2.11.2.
Message Poisoning
2.12.
Collection
❱
2.12.1.
User Message Harvesting
2.12.2.
Memory Data Hording
2.12.3.
Data from Information Repositories
2.12.4.
ML Artifact Collection
2.12.5.
Thread History Harvesting
2.12.6.
RAG Data Harvesting
2.12.7.
Retrieval Tool Data Harvesting
2.12.8.
Data from Local System
2.13.
ML Attack Staging
❱
2.13.1.
Verify Attack
2.13.2.
Create Proxy ML Model
2.13.3.
Backdoor ML Model
2.13.4.
Craft Adversarial Data
2.14.
Command And Control
❱
2.14.1.
Public Web C2
2.14.2.
Search Index C2
2.15.
Exfiltration
❱
2.15.1.
Exfiltration via ML Inference API
2.15.2.
Exfiltration via Cyber Means
2.15.3.
Web Request Triggering
2.15.4.
Write Tool Invocation
2.15.5.
Image Rendering
2.15.6.
LLM Data Leakage
2.15.7.
Granular Web Request Triggering
2.15.8.
Clickable Link Rendering
2.15.9.
LLM Meta Prompt Extraction
2.15.10.
Granular Clickable Link Rendering
2.16.
Impact
❱
2.16.1.
Mutative Tool Invocation
2.16.2.
Evade ML Model
2.16.3.
Cost Harvesting
2.16.4.
Denial of ML Service
2.16.5.
Spamming ML System with Chaff Data
2.16.6.
External Harms
2.16.7.
Erode ML Model Integrity
2.16.8.
Erode Dataset Integrity
2.16.9.
LLM Trusted Output Components Manipulation
2.16.10.
Citation Manipulation
2.16.11.
Citation Silencing
3.
Procedures
❱
3.1.
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
3.2.
Financial Transaction Hijacking With M365 Copilot As An Insider
3.3.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
3.4.
ChatGPT and Gemini jailbreak using the Crescendo technique
3.5.
Copilot M365 Lures Victims Into a Phishing Site
3.6.
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
3.7.
Data Exfiltration from Slack AI via indirect prompt injection
3.8.
spAIware
3.9.
Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
3.10.
Exfiltration of personal information from ChatGPT via prompt injection
4.
Platforms
❱
4.1.
ChatGPT
4.2.
GitHub Copilot
4.3.
Gemini
4.4.
Microsoft Copilot for M365
4.5.
SlackAI
4.6.
Microsoft Copilot
5.
Mitigations
❱
5.1.
Information Flow Control
5.2.
LLM Activations
5.3.
URL Anchoring
5.4.
Index-Based Browsing
5.5.
Spotlighting
5.6.
Content Security Policy
6.
Entities
❱
6.1.
Riley Goodside
6.2.
Ahmed Salem
6.3.
Tamir Ishay Sharbat
6.4.
Johann Rehberger
6.5.
Ronen Eldan
6.6.
Pliny
6.7.
Jonathan Cefalu
6.8.
Lana Salameh
6.9.
Mark Russinovich
6.10.
Ayush RoyChowdhury
6.11.
Michael Bargury
6.12.
Gregory Schwartzman
6.13.
PromptArmor
6.14.
Gal Malka
6.15.
Simon Willison
6.16.
Dmitry Lozovoy
Light
Rust
Coal
Navy
Ayu
GenAI Attacks Matrix
Entities
Riley Goodside
Ahmed Salem
Tamir Ishay Sharbat
Johann Rehberger
Ronen Eldan
Pliny
Jonathan Cefalu
Lana Salameh
Mark Russinovich
Ayush RoyChowdhury
Michael Bargury
Gregory Schwartzman
PromptArmor
Gal Malka
Simon Willison
Dmitry Lozovoy