CrowdStrike Flags Five New Ways Criminals Can Trick AI Into Obeying Them

Researchers have mapped out a fresh set of prompt injection attacks, where criminals feed deceptive instructions to AI systems to make them behave in harmful ways. Here is what each one does and why ordinary employees are part of the risk picture.

ThreatVectr Newsdesk· 3 min read
Close-up, edge-to-edge 16:9 photograph of a glowing circuit board with streams of faintly visible text and code cascading across its surface in soft blue and wh
Share

Key points

  • CrowdStrike identified five new prompt injection attack types in 2024, expanding the catalogue of known techniques criminals can use against enterprise AI systems.
  • Prompt injection is a method of sneaking instructions into an AI model so it acts on the criminal's orders instead of the organisation's rules.
  • One technique, called Unwitting User Context-Data Injection, can be triggered simply by a staff member uploading a document or forwarding an email.
  • CrowdStrike recommends organisations map every place where outside content can reach an AI model and extend their security testing to cover multi-stage attacks.

CrowdStrike, the security firm best known for endpoint protection software, has published research cataloguing five new ways criminals can manipulate large language models, the AI engines that power tools like chatbots and document-summarising assistants. The findings, first covered by CSO Online, matter because businesses are stitching these models into workflows faster than they are securing them.

Prompt injection is the core idea. It means slipping a hidden instruction into text that an AI reads, so the model follows the criminal's command rather than its intended purpose. Think of it as a counterfeit order buried inside a legitimate memo.

How do these attacks actually reach employees?

The most immediate risk to ordinary staff comes from a technique CrowdStrike calls Unwitting User Context-Data Injection. Here, the employee does nothing obviously wrong. They upload a PDF, forward an email, or paste in some text. That content is later read by an AI tool. The malicious instruction is hidden inside it. The employee is the unwitting carrier.

The other four techniques operate at a more technical level, but are worth understanding in plain terms.

Trigger-Activated Rule Addition plants what looks like a harmless instruction inside a model's configuration. Nothing bad happens immediately. Later, a second signal activates it.

Cognitive Token Suppression is designed to silence a model's safety guardrails, the built-in refusals that stop an AI from doing something it should not. The attack nudges the model toward language that sidesteps those refusals.

Algorithmic Payload Decomposition breaks a harmful command into several innocent-looking fragments, each delivered separately. The model receives what appears to be normal conversation. Assembled in sequence, the fragments form a single damaging instruction.

Special Token Injection smuggles fake control signals into ordinary text. These signals are the kind an AI uses internally to decide whose instructions to prioritise. The attack tricks the model into treating an untrusted user's request as if it came from a system administrator.

CrowdStrike recommends that security teams treat every source of content that an AI model might read as a potential attack surface. That includes uploaded files, forwarded emails, and data pulled from external services. Testing should cover scenarios where a harmful instruction arrives in pieces across multiple inputs, not just in a single message.

What affected organisations should do

If your company uses any AI tool that reads documents or emails, ask your IT team whether that tool has been tested for prompt injection. Treat AI-generated outputs the same way you would treat an unsigned email: verify before you act on anything unexpected. Report odd AI behaviour, such as a chatbot suddenly asking for credentials or producing off-topic responses, to your security team immediately.

© 2026 Threat Vectr