1.
Attacks Matrix
❱
1.1.
Introduction
1.2.
How to Contribute
1.3.
Q&A
2.
Tactics
❱
2.1.
Reconnaissance
❱
2.1.1.
Search Open Sources
2.1.2.
Active Scanning
2.1.3.
Search Closed Sources
2.1.4.
Finding RAG-Indexed Targets
2.2.
Resource Development
❱
2.2.1.
Commercial License Abuse
2.2.2.
Prompt Crafting
2.2.3.
Prompt Stabilizing
2.3.
Initial Access
❱
2.3.1.
RAG Poisoning
2.3.2.
Retrieval Tool Poisoning
2.3.3.
Targeted RAG Poisoning
2.3.4.
Compromised User
2.3.5.
Web Poisoning
2.3.6.
Guest User Abuse
2.3.7.
User Manipulation
2.4.
Execution
❱
2.4.1.
Prompt Injection
2.4.2.
Off-Target Language
2.4.3.
System Instruction Keywords
2.5.
Persistence
❱
2.5.1.
Resource Poisoning
2.5.2.
Thread Infection
2.5.3.
Memory Infection
2.6.
Privilege Escalation
❱
2.6.1.
Jailbreaking
2.6.2.
Crescendo
2.6.3.
Off-Target Language
2.6.4.
System Instruction Keywords
2.7.
Defense Evasion
❱
2.7.1.
Indirect Data Access
2.7.2.
Distraction
2.7.3.
Citation Silencing
2.7.4.
Blank Image
2.7.5.
Conditional Execution
2.7.6.
URL Familiarizing
2.7.7.
Delayed Execution
2.7.8.
ASCII Smuggling
2.7.9.
RAG Injection
2.7.10.
These Aren't The Droids
2.8.
Credential Access
❱
2.8.1.
Retrieval Tool Credential Harvesting
2.8.2.
RAG Credential Harvesting
2.9.
Discovery
❱
2.9.1.
Delimiters and Special Character Extraction
2.9.2.
Whoami
2.9.3.
Failure Mode Mapping
2.9.4.
Embedded Knowledge Exposure
2.9.5.
System Instructions Extraction
2.9.6.
Tool Definition Discovery
2.10.
Lateral Movement
❱
2.10.1.
Shared Resource Poisoning
2.10.2.
Message Poisoning
2.11.
Collection
❱
2.11.1.
RAG Data Harvesting
2.11.2.
Memory Data Hording
2.11.3.
User Message Harvesting
2.11.4.
Retrieval Tool Data Harvesting
2.11.5.
Thread History Harvesting
2.12.
Command And Control
❱
2.12.1.
Search Index C2
2.12.2.
Public Web C2
2.13.
Exfiltration
❱
2.13.1.
Granular Clickable Link Rendering
2.13.2.
Granular Web Request Triggering
2.13.3.
Web Request Triggering
2.13.4.
Clickable Link Rendering
2.13.5.
Write Tool Invocation
2.13.6.
Image Rendering
2.14.
Impact
❱
2.14.1.
Citation Manipulation
2.14.2.
AI Social Engineering
2.14.3.
Mutative Tool Invocation
3.
Procedures
❱
3.1.
ChatGPT and Gemini jailbreak using the Crescendo technique
3.2.
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
3.3.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
3.4.
Exfiltration of personal information from ChatGPT via prompt injection
3.5.
Financial Transaction Hijacking With M365 Copilot As An Insider
3.6.
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
3.7.
Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
3.8.
Copilot M365 Lures Victims Into a Phishing Site
3.9.
Data Exfiltration from Slack AI via indirect prompt injection
3.10.
spAIware
4.
Platforms
❱
4.1.
Microsoft Copilot
4.2.
SlackAI
4.3.
ChatGPT
4.4.
Gemini
4.5.
Microsoft Copilot for M365
4.6.
GitHub Copilot
5.
Mitigations
❱
5.1.
Index-Based Browsing
5.2.
URL Anchoring
5.3.
Content Security Policy
6.
Entities
❱
6.1.
Pliny
6.2.
Gal Malka
6.3.
Michael Bargury
6.4.
Jonathan Cefalu
6.5.
Lana Salameh
6.6.
Dmitry Lozovoy
6.7.
Ronen Eldan
6.8.
Tamir Ishay Sharbat
6.9.
Johann Rehberger
6.10.
PromptArmor
6.11.
Simon Willison
6.12.
Ahmed Salem
6.13.
Riley Goodside
6.14.
Mark Russinovich
6.15.
Ayush RoyChowdhury
6.16.
Gregory Schwartzman
Light
Rust
Coal
Navy
Ayu
GenAI Attacks Matrix
Entities
Pliny
Gal Malka
Michael Bargury
Jonathan Cefalu
Lana Salameh
Dmitry Lozovoy
Ronen Eldan
Tamir Ishay Sharbat
Johann Rehberger
PromptArmor
Simon Willison
Ahmed Salem
Riley Goodside
Mark Russinovich
Ayush RoyChowdhury
Gregory Schwartzman