Direct prompt injection → exfil another user's data

§ Context

Assumed environment: a chatbot / SaaS LLM feature where the same model context is shared (RAG, tools, customer data) across requests with weak per-request isolation.

§ Steps

1. 01
   Craft instruction-override payloadInitial Access

   AI-PROMPT-INJECT— Direct Prompt Injection
2. 02
   Probe input boundaries (instruction echo)Initial Access

   AI-PROMPT-INJECT— Direct Prompt Injection
3. 03
   Extract system promptDiscovery

   AI-SYS-PROMPT-LEAK— System Prompt Extraction
4. 04
   Render output → exfil via image probe URLImpact

   AI-OUTPUT-INJECT— Output Injection (Markdown / HTML)
5. 05
   Coax model to emit cached / cross-tenant dataCollection

   AI-TRAINING-EXFIL— Training Data Extraction

§ Frequently asked

What is the "Direct prompt injection → exfil another user's data" attack path?

Multi-tenant LLM assistant. Attacker's prompt overrides instructions and tricks the model into emitting another user's session content / RAG-cached data. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Craft instruction-override payload (AI-PROMPT-INJECT) — a initial access primitive. Assumed environment: a chatbot / SaaS LLM feature where the same model context is shared (RAG, tools, customer data) across requests with weak per-request isolation.

What is the final impact of this kill-chain?

The final step lands on Coax model to emit cached / cross-tenant data (AI-TRAINING-EXFIL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.