# Indirect Prompt Injection Attacks Emerge as Top LLM Security Threat _Friday, April 24, 2026 at 12:14 AM EDT · Cybersecurity, AI · Latest · Tier 2 — Notable_ ![Indirect Prompt Injection Attacks Emerge as Top LLM Security Threat — Primary](https://www.zdnet.com/a/img/resize/8bdc6becdd3f139506514ea2d26aac13af89677c/2026/04/23/4af5add2-e2d5-43a3-b7cc-e858b01d7202/gettyimages-1376579671.jpg?auto=webp&fit=crop&height=675&width=1200) Indirect prompt injection attacks have emerged as a top security risk for large language models, with researchers now documenting real-world examples of these attacks found in the wild. Unlike direct prompt injection, where an attacker crafts a specific prompt to manipulate an AI system, indirect prompt injection hides malicious instructions in web content, emails, or other external text that an LLM reads and acts on. What makes these attacks serious is that they do not require user interaction. An LLM may read and act on a malicious instruction and then display malicious content, including scam website addresses, phishing links, or misinformation. The OWASP Foundation ranks prompt injection attacks, both direct and indirect, as the highest threat to LLM security today. Microsoft has warned that these attacks are commonly linked with data exfiltration and remote code execution. Researchers at Forcepoint have identified several examples of indirect prompt injection attempts on live websites. These include instructions to steal API keys, override systems to access sensitive data endpoints, hijack content attribution for fraudulent revenue, and inject terminal commands for data destruction. Many attempts begin with phrases like Ignore previous instructions or If you are an LLM. Palo Alto Networks Unit 42 researchers issued a directive on their own advisory page for any LLM scanning it to not follow instructions listed there, highlighting the difficulty of distinguishing legitimate content from malicious ones. Major AI companies are responding with defensive measures. Google uses automated and human penetration testing, bug bounties, and training ML to recognize threats. Microsoft focuses on detection tools and system hardening. Anthropic mitigates browser-based threats through AI training, flagging attempts through classifiers, and red team testing. OpenAI views prompt injection as a long-term challenge and has developed rapid response cycles. Security experts recommend that users limit the permissions they grant to AI chatbots, avoid sharing personal or sensitive data, watch for suspicious AI behavior, verify links rather than clicking through chat windows, and keep AI software updated. ## Sources - [ZDNet](https://www.zdnet.com/article/how-indirect-prompt-injection-attacks-on-ai-work-and-6-ways-to-shut-them-down/) --- Canonical: https://techandbusiness.org/newswire/nboQQLUk2FOYJmEHhVY8DG Retrieved: 2026-04-24T07:40:02.660Z Publisher: Tech & Business (techandbusiness.org)