1.
Attacks Matrix
❱
1.1.
Introduction
1.2.
How to Contribute
1.3.
Q&A
2.
Tactics
❱
2.1.
Reconnaissance
❱
2.1.1.
Finding RAG-Indexed Targets
2.1.2.
Search Closed Sources
2.1.3.
Active Scanning
2.1.4.
Search Open Sources
2.2.
Resource Development
❱
2.2.1.
Commercial License Abuse
2.2.2.
Prompt Stabilizing
2.2.3.
Prompt Crafting
2.3.
Initial Access
❱
2.3.1.
Compromised User
2.3.2.
Targeted RAG Poisoning
2.3.3.
RAG Poisoning
2.3.4.
User Manipulation
2.3.5.
Retrieval Tool Poisoning
2.3.6.
Guest User Abuse
2.3.7.
Web Poisoning
2.4.
Execution
❱
2.4.1.
Prompt Injection
2.4.2.
System Instruction Keywords
2.4.3.
Off-Target Language
2.5.
Persistence
❱
2.5.1.
Memory Infection
2.5.2.
Thread Infection
2.5.3.
Resource Poisoning
2.6.
Privilege Escalation
❱
2.6.1.
Jailbreaking
2.6.2.
System Instruction Keywords
2.6.3.
Off-Target Language
2.6.4.
Crescendo
2.7.
Defense Evasion
❱
2.7.1.
Indirect Data Access
2.7.2.
Conditional Execution
2.7.3.
Delayed Execution
2.7.4.
RAG Injection
2.7.5.
Citation Silencing
2.7.6.
ASCII Smuggling
2.7.7.
These Aren't The Droids
2.7.8.
URL Familiarizing
2.8.
Credential Access
❱
2.8.1.
Retrieval Tool Credential Harvesting
2.8.2.
RAG Credential Harvesting
2.9.
Discovery
❱
2.9.1.
Delimiters and Special Character Extraction
2.9.2.
Whoami
2.9.3.
Embedded Knowledge Exposure
2.9.4.
System Instructions Extraction
2.9.5.
Failure Mode Mapping
2.9.6.
Tool Definition Discovery
2.10.
Lateral Movement
❱
2.10.1.
Message Poisoning
2.10.2.
Shared Resource Poisoning
2.11.
Collection
❱
2.11.1.
Retrieval Tool Data Harvesting
2.11.2.
RAG Data Harvesting
2.11.3.
Thread History Harvesting
2.11.4.
Memory Data Hording
2.12.
Command And Control
❱
2.12.1.
Search Index C2
2.12.2.
Public Web C2
2.13.
Exfiltration
❱
2.13.1.
Granular Clickable Link Rendering
2.13.2.
Image Rendering
2.13.3.
Web Request Triggering
2.13.4.
Clickable Link Rendering
2.13.5.
Granular Web Request Triggering
2.13.6.
Write Tool Invocation
2.14.
Impact
❱
2.14.1.
AI Social Engineering
2.14.2.
Mutative Tool Invocation
2.14.3.
Citation Manipulation
3.
Procedures
❱
3.1.
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
3.2.
Data Exfiltration from Slack AI via indirect prompt injection
3.3.
Exfiltration of personal information from ChatGPT via prompt injection
3.4.
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
3.5.
Financial Transaction Hijacking With M365 Copilot As An Insider
3.6.
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
3.7.
Microsoft Copilot Purview Audit Log Evasion and DLP Bypass
3.8.
ChatGPT and Gemini jailbreak using the Crescendo technique
3.9.
Copilot M365 Lures Victims Into a Phishing Site
4.
Platforms
❱
4.1.
Microsoft Copilot
4.2.
ChatGPT
4.3.
Gemini
4.4.
SlackAI
4.5.
GitHub Copilot
4.6.
Microsoft Copilot for M365
5.
Mitigations
❱
5.1.
Content Security Policy
5.2.
URL Anchoring
5.3.
Index-Based Browsing
6.
Entities
❱
6.1.
Gregory Schwartzman
6.2.
Gal Malka
6.3.
Ronen Eldan
6.4.
PromptArmor
6.5.
Pliny
6.6.
Michael Bargury
6.7.
Dmitry Lozovoy
6.8.
Johann Rehberger
6.9.
Ayush RoyChowdhury
6.10.
Ahmed Salem
6.11.
Mark Russinovich
6.12.
Jonathan Cefalu
6.13.
Tamir Ishay Sharbat
6.14.
Riley Goodside
6.15.
Lana Salameh
6.16.
Simon Willison
Light
Rust
Coal
Navy
Ayu
GenAI Attacks Matrix
Tactics
Defense Evasion
Lateral Movement
Persistence
Reconnaissance
Resource Development
Execution
Impact
Credential Access
Collection
Initial Access
Command And Control
Discovery
Privilege Escalation
Exfiltration