CrowdStrike Highlights 5 Prompt Injection Techniques Challenging AI Agents


CrowdStrike has highlighted five prompt injection techniques that show how attackers are adapting their methods for AI agents that can browse websites, process files, access business data, and use tools.

The techniques include Trigger-Activated Rule Addition, Cognitive Token Suppression, Algorithmic Payload Decomposition, Special Token Injection, and Unwitting User Delivery. The list shows how prompt injection is moving beyond simple chatbot jailbreaks into attacks that can manipulate autonomous workflows.

The risk is especially important for agentic AI systems because they can act on external data. The OWASP LLM01:2025 Prompt Injection guidance says prompt injection can cause unintended outcomes, including sensitive information disclosure, unauthorized access to functions, arbitrary command execution in connected systems, and manipulation of critical decisions.

Prompt injection is becoming an agent security problem

Prompt injection happens when malicious or unexpected instructions alter an AI system’s behavior. In a basic chatbot, the result may be a bad answer or policy bypass. In an AI agent, the result can be more serious because the model may have access to files, emails, SaaS apps, code repositories, browsers, or command execution.

This is why the threat changes as organizations move from chatbots to agents. The agent does not only answer questions. It may decide which tool to call, which data to retrieve, what file to write, or what message to send.

The MITRE ATLAS LLM Prompt Injection entry classifies prompt injection as a technique where adversaries craft inputs that cause an AI model to behave in ways not intended by the system owner or user.

TechniqueIDMain idea
Trigger-Activated Rule AdditionPT0201Plants hidden instructions that activate only under specific conditions
Cognitive Token SuppressionPT0197Tries to reduce the model’s use of safety or refusal language
Algorithmic Payload DecompositionPT0200Splits a malicious instruction into smaller parts to evade filters
Special Token InjectionPT0198Mimics control tokens, tool formats, or system-like structure
Unwitting User DeliveryIM0005Tricks a real user into delivering the malicious prompt

Trigger-Activated Rule Addition hides dormant instructions

Trigger-Activated Rule Addition is one of the more concerning techniques because the malicious instruction does not need to fire immediately.

An attacker can plant a dormant rule inside a document, webpage, ticket, email, or shared data source. The rule may activate only when the agent sees a specific keyword, date, account name, file type, or business condition.

This delayed behavior makes the attack harder to catch during a quick review. A security scanner may inspect the content before the trigger appears and miss the real effect.

  • The attacker plants an instruction inside external content.
  • The instruction remains dormant during normal review.
  • A later condition activates the hidden rule.
  • The agent changes behavior after the trigger appears.
  • The user may see only the final output, not the manipulation path.

Why delayed prompt attacks are hard to detect

Delayed attacks are difficult because they break the assumption that prompt injection will always be obvious at the first interaction.

An AI agent may read a document on Monday, remember or summarize it, and then act on part of that context days later. If the injected rule activates only during the later task, defenders need visibility into the full chain, not just the final output.

Recent research on agent data injection attacks argues that attackers can disguise malicious data as trusted context, metadata, or tool output, causing agents to take unintended actions based on attacker-controlled information.

Cognitive Token Suppression targets safety language

Cognitive Token Suppression aims to push the AI system away from words or patterns it normally uses to enforce safety. Instead of directly telling the model to ignore its rules, the attacker tries to reduce the model’s ability to express caution, refusal, or policy reasoning.

This can make the response more ambiguous and less likely to contain clear safety boundaries. In a business agent, that could weaken checks around sensitive data, external sharing, tool use, or approval steps.

The technique does not need to fully disable the model’s safety system to create risk. It only needs to make the agent less consistent when it decides whether a requested action is allowed.

Algorithmic Payload Decomposition breaks attacks into pieces

Algorithmic Payload Decomposition avoids placing the full malicious instruction in one obvious block. Instead, the attacker splits the payload into fragments that look harmless on their own.

The agent is then guided to combine or transform those fragments into a full instruction. A filter scanning for complete malicious phrases may miss the attack because no single fragment contains the entire command.

The OWASP prompt injection guidance includes payload splitting as an example attack scenario, where separate malicious prompt fragments are combined by an LLM and then manipulate the model’s behavior.

Evasion methodWhy it worksDefensive challenge
Delayed triggerPayload activates only laterRequires multi-step session tracking
Token suppressionWeakens safety phrasingHard to detect through keyword rules alone
Payload decompositionSplits the malicious instructionRequires semantic and sequence-aware analysis
Special token abuseMimics trusted structureRequires strict separation of data and control
User-assisted deliveryUses a legitimate user sessionRequires user education and workflow controls

Special Token Injection attacks the structure of agent prompts

Special Token Injection targets the formatting and control structure around the model. Attackers may try to mimic internal tokens, tool-call syntax, system messages, separators, XML-like tags, JSON fields, or framework-specific instructions.

The goal is to blur the boundary between trusted instructions and untrusted data. If the agent treats the injected structure as higher priority than normal content, the attacker may influence the tool plan or final action.

This technique is especially relevant for agents that pass tool responses, retrieved documents, or web content back into the conversation history without strong isolation.

Unwitting User Delivery uses social engineering

Unwitting User Delivery does not depend only on hidden technical tricks. It persuades a legitimate user to paste, upload, forward, or submit the malicious prompt to the AI system.

That can happen through viral posts, fake instructions, malicious templates, shared documents, comments, screenshots, or support content. Because the action comes from a real user session, the request may look more trusted to normal security controls.

This is similar to phishing in one important way: the attacker uses the user as the delivery channel. The difference is that the target is not only the person. It is the AI agent acting on the person’s behalf.

Indirect prompt injection is the bigger enterprise concern

Direct prompt injection comes from the user’s own prompt. Indirect prompt injection comes from content the model reads, such as emails, websites, tickets, documents, logs, code comments, or SaaS records.

The MITRE ATLAS indirect prompt injection entry describes the risk of malicious instructions embedded in third-party content that gets processed by an AI system.

This is the most dangerous pattern for enterprise agents because users may never see the injected instruction. The agent can retrieve it from a source that looks like ordinary business data.

Why AI agents expand the attack surface

AI agents connect language models to tools. That is the source of their productivity value and their security risk.

A normal chatbot can produce a bad answer. A tool-using agent can send an email, query a database, modify a ticket, run code, browse a site, summarize a document, or call an API. If an attacker can influence the agent’s decision path, the impact can move beyond text generation.

The WASP web-agent security benchmark found that web navigation agents can be susceptible to indirect prompt injections embedded in web content, although successful end-to-end attacker goals remain harder than simply causing the agent to begin following malicious instructions.

Attackers can combine several techniques

The five techniques are most dangerous when combined. An attacker might hide the payload inside a webpage, split it into fragments, wrap part of it in fake tool syntax, and activate it only when the agent sees a specific customer name.

That kind of layered attack can defeat simple keyword filters. It also makes incident response harder because the final agent action may look disconnected from the original malicious content.

Security teams need to think in chains. The important question is not only whether one prompt looks suspicious, but whether untrusted content influenced a later tool decision.

CrowdStrike is moving deeper into AI security

The new prompt injection taxonomy update fits CrowdStrike’s broader push into AI security. The company has been building around agentic AI risks as enterprise users adopt more autonomous tools.

Earlier reporting on CrowdStrike’s planned acquisition of Pangea described Pangea as an AI security company focused on securing interactions between AI systems, users, and enterprise software, including prompt injection risks.

TechRadar’s coverage of the Pangea deal said CrowdStrike planned to integrate Pangea’s capabilities into Falcon as part of an AI Detection and Response approach covering data, models, identities, infrastructure, and AI agents.

Why the taxonomy matters

A taxonomy does not stop an attack by itself, but it gives defenders a common language. Security teams can write test cases, detection logic, logging requirements, and governance rules around named techniques.

That matters because prompt injection can appear across many sources. A single organization may need to test email agents, browser agents, coding agents, ticketing assistants, support bots, document summarizers, and SOC copilots.

The agent data injection research also highlights why taxonomies must evolve. Attackers do not only inject obvious instructions. They can also manipulate trusted-looking data fields, identifiers, tool responses, or context that agents use to make decisions.

Detection needs context, not just keywords

Prompt injection detection cannot depend only on phrases such as “ignore previous instructions.” The techniques highlighted by CrowdStrike show why attackers are moving toward delayed triggers, decomposed payloads, and structural tricks.

Defenders need visibility into where content came from, whether it was trusted, how it entered the agent context, and whether it influenced a tool call or external action.

The WASP benchmark reinforces that agent security should be tested under realistic objectives, not only simple prompt override examples.

  1. Label external content as untrusted before the model processes it.
  2. Keep tool permissions narrow and task-specific.
  3. Require approval before the agent sends data, changes files, or executes commands.
  4. Log retrieved content, tool decisions, and final actions together.
  5. Test agents with delayed, split, obfuscated, and user-delivered injections.
  6. Monitor for unusual tool calls after the agent processes external data.
  7. Review prompts, tool outputs, and session memory during incident response.

Human approval remains important for high-risk actions

Human-in-the-loop review is not a complete solution, but it can reduce damage when the agent is about to take a sensitive action.

For example, an agent may draft an email automatically, but it should not send sensitive customer data, change access rights, approve payments, or run code without a clear approval path.

OWASP recommends least privilege access, human approval for high-risk actions, isolation of external content, and adversarial testing as practical mitigations for prompt injection risk.

Security teams should test the full agent workflow

Agent testing should include every place where untrusted data can enter the system. That includes web pages, documents, messages, tickets, calendar invites, code repositories, log fields, tool responses, and API results.

Teams should also test whether a prompt injection can survive summarization, memory, retrieval, tool execution, or handoff to another agent.

The MITRE ATLAS indirect prompt injection mapping is useful here because it frames the threat around external content that the model may treat as instruction.

Prompt injection remains a moving target

The five newly highlighted techniques show that prompt injection is not a static problem. As defenders build filters and guardrails, attackers refine how they deliver, hide, activate, and chain instructions.

This is why enterprises should treat AI agent security like application security, identity security, and endpoint security. It needs threat modeling, logging, access control, red teaming, and continuous updates.

CrowdStrike’s AI security push reflects the same trend: as agents gain more access and autonomy, organizations need controls that can see and govern both human and AI-driven actions.

FAQ

What are the five prompt injection techniques highlighted by CrowdStrike?

The five highlighted techniques are Trigger-Activated Rule Addition, Cognitive Token Suppression, Algorithmic Payload Decomposition, Special Token Injection, and Unwitting User Delivery.

Why are prompt injection attacks more dangerous for AI agents?

AI agents can use tools, browse websites, access documents, query business systems, and take actions. If attackers manipulate the agent’s instructions or context, the impact can move beyond a bad answer into data exposure or unauthorized actions.

What is Trigger-Activated Rule Addition?

Trigger-Activated Rule Addition is a prompt injection technique where hidden instructions remain dormant until a specific keyword, condition, date, or context activates them later in the workflow.

What is Unwitting User Delivery?

Unwitting User Delivery happens when attackers trick a legitimate user into pasting, uploading, forwarding, or submitting malicious prompt content to an AI system without realizing it.

How can organizations reduce prompt injection risk in AI agents?

Organizations should isolate untrusted content, enforce least-privilege tool access, require approval for sensitive actions, log tool calls and retrieved data, and test agents with delayed, split, obfuscated, and indirect prompt injection scenarios.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages