Indirect prompt injection via RAG document

§ Context

Assumed environment: target LLM features a RAG pipeline that pulls from a shared knowledge base (wiki, Drive, SharePoint, Confluence). Attacker has write access to that source (insider, public-share, vendor).

§ Steps

1. 01
   Exfil via tool output to attacker channelExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Wait for a privileged query that retrieves itInitial Access

   T1078— Valid Accounts
3. 03
   LLM follows attacker instructions from the docInitial Access

   AI-INDIRECT-INJECT— Indirect Prompt Injection (RAG / Web)
4. 04
   Upload poisoned doc with hidden instructionsPersistence

   AI-RAG-POISON— RAG Index Poisoning
5. 05
   Trigger tool calls (send email / read files)Execution

   AI-TOOL-ABUSE— Tool / Function-Call Abuse

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts

§ Frequently asked

What is the "Indirect prompt injection via RAG document" attack path?

Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil via tool output to attacker channel (T1041) — a exfiltration primitive. Assumed environment: target LLM features a RAG pipeline that pulls from a shared knowledge base (wiki, Drive, SharePoint, Confluence).

What is the final impact of this kill-chain?

The final step lands on Trigger tool calls (send email / read files) (AI-TOOL-ABUSE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Multi-agent confused-deputy → tool-call escalation

  User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.

• Shared techniques3

  Prompt injection → tool-call shell RCE

  Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.

• Shared techniques3

  Agent goal hijack via web search

  An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.