CrowdStrike Identifies Five New Prompt Injection Techniques Targeting AI Systems

As artificial intelligence (AI) systems become increasingly integrated into organizational operations, the security landscape is evolving to address new vulnerabilities. CrowdStrike has recently identified five novel prompt injection techniques that pose significant threats to AI agents. These findings underscore the necessity for enhanced security measures as AI technologies advance.

Emerging Prompt Injection Techniques

Prompt injection involves embedding malicious instructions into the data processed by AI systems, leading to unintended behaviors. The five newly identified techniques are:

  • Trigger-Activated Rule Addition (PT0201): Attackers embed hidden instructions that remain dormant until specific conditions or keywords activate them. This method allows malicious payloads to bypass initial security checks and later alter system behavior, such as silently exfiltrating sensitive data upon activation.
  • Cognitive Token Suppression (PT0197): This technique manipulates prompts to restrict an AI model’s ability to generate safe responses by limiting the use of refusal or policy-related language. By steering the model away from its normal safety vocabulary, attackers increase the likelihood of ambiguous or non-compliant outputs.
  • Algorithmic Payload Decomposition (PT0200): Instead of delivering a malicious instruction directly, attackers break it into smaller, seemingly harmless components. The AI is then guided to reconstruct these fragments into a complete command, allowing the payload to bypass traditional filters that scan for obvious threats.
  • Special Token Injection (PT0198): This method targets the structural framework of AI systems by mimicking internal formatting elements such as tool calls or system-level instructions. Attackers attempt to blur the boundary between trusted and untrusted inputs, tricking the model into treating malicious content as a legitimate command with elevated priority.
  • Unwitting User Delivery (IM0005): Leveraging social engineering, attackers persuade users to input malicious prompts themselves. This is often achieved through deceptive content such as viral posts or hidden instructions embedded in media. Since the request originates from a legitimate user session, it becomes harder for security systems to detect.

Implications for AI Security

The identification of these techniques highlights the evolving sophistication of threats targeting AI systems. As organizations increasingly deploy autonomous AI agents capable of browsing websites, accessing internal data, and executing commands, the attack surface expands. Adversaries are now embedding malicious instructions within the data these agents consume, enabling indirect attacks that can hijack system behavior without obvious signs.

To address this growing challenge, CrowdStrike has expanded its prompt injection taxonomy with 18 new techniques, bringing the total to more than 200 documented methods. This comprehensive approach aims to equip organizations with the knowledge needed to fortify their AI systems against emerging threats.

As AI technologies continue to advance, it is imperative for organizations to stay vigilant and adopt proactive security measures. Understanding and mitigating prompt injection techniques are crucial steps in safeguarding AI systems from exploitation. Continuous monitoring, regular updates to security protocols, and user education are essential components of a robust defense strategy against these evolving threats.