1. 1. Attacks Matrix
    ❱
    1. 1.1. Introduction
    2. 1.2. How to Contribute
    3. 1.3. Q&A
  2. 2. Tactics
    ❱
    1. 2.1. Reconnaissance
      ❱
      1. 2.1.1. Search for Victim's Publicly Available Research Materials
      2. 2.1.2. Search Victim-Owned Websites
      3. 2.1.3. Search for Victim's Publicly Available Code Repositories
      4. 2.1.4. Search Application Repositories
      5. 2.1.5. Gather RAG-Indexed Targets
      6. 2.1.6. Active Scanning
    2. 2.2. Resource Development
      ❱
      1. 2.2.1. Commercial License Abuse
      2. 2.2.2. LLM Prompt Crafting
      3. 2.2.3. Acquire Infrastructure
      4. 2.2.4. Develop Capabilities
      5. 2.2.5. Poison Training Data
      6. 2.2.6. Publish Hallucinated Entities
      7. 2.2.7. Retrieval Content Crafting
      8. 2.2.8. Establish Accounts
      9. 2.2.9. Publish Poisoned Datasets
      10. 2.2.10. Obtain Capabilities
      11. 2.2.11. Publish Poisoned Models
      12. 2.2.12. Acquire Public ML Artifacts
      13. 2.2.13. Obtain Generative AI Capabilities
    3. 2.3. Initial Access
      ❱
      1. 2.3.1. Retrieval Tool Poisoning
      2. 2.3.2. RAG Poisoning
      3. 2.3.3. Compromised User
      4. 2.3.4. Web Poisoning
      5. 2.3.5. User Manipulation
      6. 2.3.6. Guest User Abuse
      7. 2.3.7. ML Supply Chain Compromise
      8. 2.3.8. Evade ML Model
      9. 2.3.9. Valid Accounts
      10. 2.3.10. Exploit Public-Facing Application
      11. 2.3.11. Phishing
    4. 2.4. ML Model Access
      ❱
      1. 2.4.1. Physical Environment Access
      2. 2.4.2. Full ML Model Access
      3. 2.4.3. AI Model Inference API Access
      4. 2.4.4. ML-Enabled Product or Service
    5. 2.5. Execution
      ❱
      1. 2.5.1. User Execution
      2. 2.5.2. LLM Plugin Compromise
      3. 2.5.3. LLM Prompt Injection
      4. 2.5.4. AI Click Bait
      5. 2.5.5. Command and Scripting Interpreter
      6. 2.5.6. Off-Target Language
      7. 2.5.7. System Instruction Keywords
    6. 2.6. Persistence
      ❱
      1. 2.6.1. RAG Poisoning
      2. 2.6.2. Thread Infection
      3. 2.6.3. LLM Prompt Self-Replication
      4. 2.6.4. Poison Training Data
      5. 2.6.5. Backdoor ML Model
      6. 2.6.6. Memory Infection
    7. 2.7. Privilege Escalation
      ❱
      1. 2.7.1. LLM Plugin Compromise
      2. 2.7.2. LLM Jailbreak
      3. 2.7.3. Off-Target Language
      4. 2.7.4. Crescendo
      5. 2.7.5. System Instruction Keywords
    8. 2.8. Defense Evasion
      ❱
      1. 2.8.1. URL Familiarizing
      2. 2.8.2. LLM Trusted Output Components Manipulation
      3. 2.8.3. Abuse Trusted Sites
      4. 2.8.4. Blank Image
      5. 2.8.5. Evade ML Model
      6. 2.8.6. ASCII Smuggling
      7. 2.8.7. LLM Prompt Obfuscation
      8. 2.8.8. Delayed Execution
      9. 2.8.9. Instructions Silencing
      10. 2.8.10. False RAG Entry Injection
      11. 2.8.11. Distraction
      12. 2.8.12. Conditional Execution
      13. 2.8.13. LLM Jailbreak
      14. 2.8.14. Indirect Data Access
      15. 2.8.15. Citation Manipulation
      16. 2.8.16. Off-Target Language
      17. 2.8.17. Crescendo
      18. 2.8.18. System Instruction Keywords
      19. 2.8.19. Citation Silencing
    9. 2.9. Credential Access
      ❱
      1. 2.9.1. Unsecured Credentials
      2. 2.9.2. RAG Credential Harvesting
      3. 2.9.3. Retrieval Tool Credential Harvesting
    10. 2.10. Discovery
      ❱
      1. 2.10.1. Discover ML Artifacts
      2. 2.10.2. Discover LLM Hallucinations
      3. 2.10.3. Discover AI Model Outputs
      4. 2.10.4. Discover ML Model Family
      5. 2.10.5. Failure Mode Mapping
      6. 2.10.6. Discover ML Model Ontology
      7. 2.10.7. Discover LLM System Information
      8. 2.10.8. Whoami
      9. 2.10.9. Tool Definition Discovery
      10. 2.10.10. Embedded Knowledge Exposure
      11. 2.10.11. Discover System Prompt
      12. 2.10.12. Discover System Instruction Keywords
      13. 2.10.13. Discover Special Character Sets
    11. 2.11. Lateral Movement
      ❱
      1. 2.11.1. Message Poisoning
      2. 2.11.2. Shared Resource Poisoning
    12. 2.12. Collection
      ❱
      1. 2.12.1. Data from Information Repositories
      2. 2.12.2. Data from Local System
      3. 2.12.3. Thread History Harvesting
      4. 2.12.4. RAG Data Harvesting
      5. 2.12.5. Retrieval Tool Data Harvesting
      6. 2.12.6. User Message Harvesting
      7. 2.12.7. ML Artifact Collection
      8. 2.12.8. Memory Data Hording
    13. 2.13. ML Attack Staging
      ❱
      1. 2.13.1. Craft Adversarial Data
      2. 2.13.2. Backdoor ML Model
      3. 2.13.3. Create Proxy ML Model
      4. 2.13.4. Verify Attack
    14. 2.14. Command And Control
      ❱
      1. 2.14.1. Search Index C2
      2. 2.14.2. Public Web C2
    15. 2.15. Exfiltration
      ❱
      1. 2.15.1. Write Tool Invocation
      2. 2.15.2. Granular Web Request Triggering
      3. 2.15.3. Abuse Trusted Sites
      4. 2.15.4. Granular Clickable Link Rendering
      5. 2.15.5. Web Request Triggering
      6. 2.15.6. Exfiltration via ML Inference API
      7. 2.15.7. Extract LLM System Prompt
      8. 2.15.8. Image Rendering
      9. 2.15.9. LLM Data Leakage
      10. 2.15.10. Clickable Link Rendering
      11. 2.15.11. Exfiltration via Cyber Means
    16. 2.16. Impact
      ❱
      1. 2.16.1. External Harms
      2. 2.16.2. Cost Harvesting
      3. 2.16.3. Evade ML Model
      4. 2.16.4. Erode ML Model Integrity
      5. 2.16.5. Spamming ML System with Chaff Data
      6. 2.16.6. Mutative Tool Invocation
      7. 2.16.7. Erode Dataset Integrity
      8. 2.16.8. Denial of ML Service
  3. 3. Procedures
    ❱
    1. 3.1. Data Exfiltration from Slack AI via indirect prompt injection
    2. 3.2. Exfiltration of personal information from ChatGPT via prompt injection
    3. 3.3. GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
    4. 3.4. Copilot M365 Lures Victims Into a Phishing Site
    5. 3.5. spAIware
    6. 3.6. Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
    7. 3.7. X Bot Exposing Itself After Training on a Poisoned Github Repository
    8. 3.8. ChatGPT and Gemini jailbreak using the Crescendo technique
    9. 3.9. Financial Transaction Hijacking With M365 Copilot As An Insider
    10. 3.10. EchoLeak: Zero-Click Data Exfiltration using M365 Copilot
    11. 3.11. AI ClickFix: Hijacking Computer-Use Agents Using ClickFix
    12. 3.12. Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
    13. 3.13. Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
  4. 4. Platforms
    ❱
    1. 4.1. Microsoft Copilot
    2. 4.2. ChatGPT
    3. 4.3. Gemini
    4. 4.4. Claude
    5. 4.5. Microsoft Copilot for M365
    6. 4.6. SlackAI
    7. 4.7. GitHub Copilot
  5. 5. Mitigations
    ❱
    1. 5.1. Information Flow Control
    2. 5.2. LLM Activations
    3. 5.3. Content Security Policy
    4. 5.4. URL Anchoring
    5. 5.5. Spotlighting
    6. 5.6. Index-Based Browsing
  6. 6. Entities
    ❱
    1. 6.1. Ahmed Salem
    2. 6.2. Dmitry Lozovoy
    3. 6.3. Michael Bargury
    4. 6.4. Lana Salameh
    5. 6.5. Tamir Ishay Sharbat
    6. 6.6. Riley Goodside
    7. 6.7. Simon Willison
    8. 6.8. Jonathan Cefalu
    9. 6.9. Ayush RoyChowdhury
    10. 6.10. Johann Rehberger
    11. 6.11. Pliny
    12. 6.12. Gal Malka
    13. 6.13. Mark Russinovich
    14. 6.14. PromptArmor
    15. 6.15. Ronen Eldan
    16. 6.16. Gregory Schwartzman
    17. 6.17. Aim Security

AI Agents Attack Matrix

Platforms

  • Microsoft Copilot
  • ChatGPT
  • Gemini
  • Claude
  • Microsoft Copilot for M365
  • SlackAI
  • GitHub Copilot