1.
Attacks Matrix
❱
1.1.
Introduction
1.2.
How to Contribute
1.3.
Q&A
2.
Tactics
❱
2.1.
Reconnaissance
❱
2.1.1.
Gather RAG-Indexed Targets
2.1.2.
Active Scanning
2.1.3.
Search for Victim's Publicly Available Code Repositories
2.1.4.
Search Open Technical Databases
2.1.5.
Search Application Repositories
2.1.6.
Search Victim-Owned Websites
2.1.7.
Search Open AI Vulnerability Analysis
2.2.
Resource Development
❱
2.2.1.
Stage Capabilities
2.2.2.
Establish Accounts
2.2.3.
Acquire Public ML Artifacts
2.2.4.
Publish Poisoned Models
2.2.5.
Obtain Capabilities
2.2.6.
Publish Hallucinated Entities
2.2.7.
Publish Poisoned Datasets
2.2.8.
Acquire Infrastructure
2.2.9.
LLM Prompt Crafting
2.2.10.
Poison Training Data
2.2.11.
Retrieval Content Crafting
2.2.12.
Develop Capabilities
2.2.13.
Commercial License Abuse
2.2.14.
Obtain Generative AI Capabilities
2.3.
Initial Access
❱
2.3.1.
Compromised User
2.3.2.
Retrieval Tool Poisoning
2.3.3.
Guest User Abuse
2.3.4.
AI Supply Chain Compromise
2.3.5.
RAG Poisoning
2.3.6.
Evade ML Model
2.3.7.
User Manipulation
2.3.8.
Phishing
2.3.9.
Web Poisoning
2.3.10.
Valid Accounts
2.3.11.
Drive-By Compromise
2.3.12.
Exploit Public-Facing Application
2.4.
ML Model Access
❱
2.4.1.
Full ML Model Access
2.4.2.
ML-Enabled Product or Service
2.4.3.
AI Model Inference API Access
2.4.4.
Physical Environment Access
2.5.
Execution
❱
2.5.1.
Command and Scripting Interpreter
2.5.2.
User Execution
2.5.3.
LLM Prompt Injection
2.5.4.
AI Click Bait
2.5.5.
LLM Plugin Compromise
2.5.6.
System Instruction Keywords
2.5.7.
Off-Target Language
2.6.
Persistence
❱
2.6.1.
Thread Infection
2.6.2.
Memory Infection
2.6.3.
Manipulate AI Model
2.6.4.
RAG Poisoning
2.6.5.
LLM Prompt Self-Replication
2.6.6.
Poison Training Data
2.6.7.
Embed Malware
2.6.8.
Modify AI Model Architecture
2.6.9.
Poison AI Model
2.7.
Privilege Escalation
❱
2.7.1.
LLM Jailbreak
2.7.2.
LLM Plugin Compromise
2.7.3.
System Instruction Keywords
2.7.4.
Crescendo
2.7.5.
Off-Target Language
2.8.
Defense Evasion
❱
2.8.1.
False RAG Entry Injection
2.8.2.
Instructions Silencing
2.8.3.
Corrupt AI Model
2.8.4.
LLM Jailbreak
2.8.5.
Abuse Trusted Sites
2.8.6.
Delayed Execution
2.8.7.
Conditional Execution
2.8.8.
URL Familiarizing
2.8.9.
Impersonation
2.8.10.
ASCII Smuggling
2.8.11.
Evade ML Model
2.8.12.
Distraction
2.8.13.
Indirect Data Access
2.8.14.
Blank Image
2.8.15.
LLM Trusted Output Components Manipulation
2.8.16.
LLM Prompt Obfuscation
2.8.17.
Masquerading
2.8.18.
System Instruction Keywords
2.8.19.
Citation Silencing
2.8.20.
Crescendo
2.8.21.
Off-Target Language
2.8.22.
Citation Manipulation
2.9.
Credential Access
❱
2.9.1.
Unsecured Credentials
2.9.2.
RAG Credential Harvesting
2.9.3.
Retrieval Tool Credential Harvesting
2.10.
Discovery
❱
2.10.1.
Discover LLM Hallucinations
2.10.2.
Tool Definition Discovery
2.10.3.
Failure Mode Mapping
2.10.4.
Discover AI Model Outputs
2.10.5.
Discover ML Model Family
2.10.6.
Whoami
2.10.7.
Discover ML Artifacts
2.10.8.
Cloud Service Discovery
2.10.9.
Discover LLM System Information
2.10.10.
Discover ML Model Ontology
2.10.11.
Embedded Knowledge Exposure
2.10.12.
Discover Special Character Sets
2.10.13.
Discover System Prompt
2.10.14.
Discover System Instruction Keywords
2.11.
Lateral Movement
❱
2.11.1.
Shared Resource Poisoning
2.11.2.
Message Poisoning
2.12.
Collection
❱
2.12.1.
Data from Local System
2.12.2.
Memory Data Hording
2.12.3.
ML Artifact Collection
2.12.4.
Thread History Harvesting
2.12.5.
Retrieval Tool Data Harvesting
2.12.6.
RAG Data Harvesting
2.12.7.
Data from Information Repositories
2.12.8.
User Message Harvesting
2.13.
ML Attack Staging
❱
2.13.1.
Craft Adversarial Data
2.13.2.
Manipulate AI Model
2.13.3.
Create Proxy ML Model
2.13.4.
Verify Attack
2.13.5.
Embed Malware
2.13.6.
Modify AI Model Architecture
2.13.7.
Poison AI Model
2.14.
Command And Control
❱
2.14.1.
Reverse Shell
2.14.2.
Search Index C2
2.14.3.
Public Web C2
2.15.
Exfiltration
❱
2.15.1.
Web Request Triggering
2.15.2.
Abuse Trusted Sites
2.15.3.
LLM Data Leakage
2.15.4.
Extract LLM System Prompt
2.15.5.
Exfiltration via ML Inference API
2.15.6.
Clickable Link Rendering
2.15.7.
Image Rendering
2.15.8.
Exfiltration via Cyber Means
2.15.9.
Write Tool Invocation
2.16.
Impact
❱
2.16.1.
Denial of ML Service
2.16.2.
Spamming ML System with Chaff Data
2.16.3.
External Harms
2.16.4.
Cost Harvesting
2.16.5.
Evade ML Model
2.16.6.
Erode Dataset Integrity
2.16.7.
Mutative Tool Invocation
2.16.8.
Erode ML Model Integrity
3.
Procedures
❱
3.1.
ChatGPT and Gemini jailbreak using the Crescendo technique
3.2.
EchoLeak: Zero-Click Data Exfiltration using M365 Copilot
3.3.
Exfiltration of personal information from ChatGPT via prompt injection
3.4.
Copilot M365 Lures Victims Into a Phishing Site
3.5.
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
3.6.
AI ClickFix: Hijacking Computer-Use Agents Using ClickFix
3.7.
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
3.8.
Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
3.9.
spAIware
3.10.
X Bot Exposing Itself After Training on a Poisoned Github Repository
3.11.
Data Exfiltration from Slack AI via indirect prompt injection
3.12.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
3.13.
Financial Transaction Hijacking With M365 Copilot As An Insider
4.
Platforms
❱
4.1.
GitHub Copilot
4.2.
Microsoft Copilot
4.3.
ChatGPT
4.4.
Claude
4.5.
Microsoft Copilot for M365
4.6.
Gemini
4.7.
SlackAI
5.
Mitigations
❱
5.1.
LLM Activations
5.2.
Spotlighting
5.3.
URL Anchoring
5.4.
Index-Based Browsing
5.5.
Content Security Policy
5.6.
Information Flow Control
6.
Entities
❱
6.1.
Michael Bargury
6.2.
Aim Security
6.3.
Gal Malka
6.4.
Ayush RoyChowdhury
6.5.
Johann Rehberger
6.6.
Ronen Eldan
6.7.
Tamir Ishay Sharbat
6.8.
PromptArmor
6.9.
Dmitry Lozovoy
6.10.
Jonathan Cefalu
6.11.
Simon Willison
6.12.
Ahmed Salem
6.13.
Gregory Schwartzman
6.14.
Mark Russinovich
6.15.
Pliny
6.16.
Lana Salameh
6.17.
Riley Goodside
Light
Rust
Coal
Navy
Ayu
AI Agents Attack Matrix
Platforms
GitHub Copilot
Microsoft Copilot
ChatGPT
Claude
Microsoft Copilot for M365
Gemini
SlackAI