Indirect Prompt Injection

Direct prompt injection requires the attacker to influence the user's prompt. Indirect injection sidesteps that by hiding instructions in data sources the agent already trusts, such as RAG indexes, calendar entries, and SaaS records.

Indirect prompt injection vectors include:

• Document poisoning: Hidden text in PDFs, Word, or Office files retrieved by the agent.
• Web page injection: Crafted HTML or metadata that browsers or scrapers feed to models.
• Email and ticket payloads: Instructions in inbound messages routed into agent context.
• Cross-tenant content: Shared SharePoint, wiki, or chat content read by enterprise Copilots.
• Memory writes: Long-lived agent memory or RAG indices seeded with malicious entries.

Because attackers cannot always influence the user's prompt, indirect injection has become the default real-world attack pattern against enterprise copilots and agents. Defending against it requires inspecting retrieval and tool-call paths, not just the user's input box.

Mature programs also instrument retrieval and tool-call paths with telemetry that can later be replayed during incident investigation, turning incident response into something repeatable.

How PointGuard AI Helps

PointGuard AI Runtime Guardrails inspect retrieved content for injection patterns before it reaches the model, and the Agent Governance Mesh applies authorization checks at every action the model proposes, so a successful injection cannot drive an unauthorized tool call. The combination ensures that injection cannot escalate from a content issue into an unauthorized action.

Learn More

• Greshake et al., Indirect Prompt Injection arXiv:2302.12173
• OWASP Top 10 for LLM Applications
• Wikipedia: Prompt injection