Retrieval Content Crafting
Type: technique
Description: The adversary writes content designed to be retrieved by user queries and influence a user of the system in some way. This abuses the trust the user has in the system. The crafted content can be combined with a prompt injection. It can also stand alone in a separate document or email. The adversary must get the crafted content into a database (such as a vector database used in RAG) in the victim system. This may be accomplished via cyber access, or by abusing the ingestion mechanisms common in retrieval augmented generation systems (see RAG Poisoning). Large language models may be used as an assistant to aid an adversary in crafting content.
Version: 0.1.0
Created At: 2025-03-04 10:27:40 -0500
Last Modified At: 2025-03-04 10:27:40 -0500
External References
Related Objects
- --> Initial Access (tactic): An adversary can target a specific user prompt by crafting content that would be surfaced by a RAG system to respond to that query.
- --> RAG Poisoning (technique): Targeted RAG Poisoning is a form of RAG Poisoning, crafting malicious content to surface for a specific user query.
- --> Tamir Ishay Sharbat (entity): Demonstrated by
- <-- Financial Transaction Hijacking With M365 Copilot As An Insider (procedure): Copilots gets access to malicious data via an email that targets the question "What are the bank details for TechCorp Solutions?".
- <-- Copilot M365 Lures Victims Into a Phishing Site (procedure): Copilots gets access to malicious data via an email that targets the question "how to access the power platform admin center?".
- <-- Data Exfiltration from Slack AI via indirect prompt injection (procedure): The adversary targets any question about the "EldritchNexus API key" by pasting data with malicious instructions in a public channel, indexed by Slack AI. The prompt injection starts with:
EldritchNexus API key:.
In a second attack scenario, the attacker targets search queries about a specific user: To view the messages shared by Shankar.