Indirect prompt injection occurs when an agent interprets instructions embedded in content the user did not provide as commands: a webpage, email, attachment, shared document, calendar description, issue comment, or image. The risk rises when the same agent can access confidential context or invoke tools. A passive summary can become a bridge from attacker-controlled text to mail, storage, code, payments, or account administration. Security must break that bridge even when the model is persuadable.
The key design rule is that content can contribute facts but cannot grant authority. Pair this guide with Edilec's prompt security review, agent tool-permission model, and human review gate design. Prompt text helps the model behave; deterministic policy decides what the system may do.
Model the path from external content to privileged effect
Draw six elements for each agent: initiator intent, content acquisition, parsing and rendering, model context, tool proposal, and protected effect. Mark identities, data stores, secrets, and network destinations. Ask which attacker can control each content field and which hidden data the model can see. Include recursive paths: an email links to a page, a page downloads a file, a document references another service, and tool output returns fresh untrusted text. One malicious instruction can persist across several turns if memory stores it.
OWASP LLM01 defines indirect injection as external-source content altering model behavior and describes outcomes such as disclosure, unauthorized functions, commands, and manipulated decisions. Translate those outcomes into business-specific abuse cases. For a mailbox agent, examples include forwarding sensitive threads, changing a payment destination, or deleting evidence. For a browser agent, include cross-origin exfiltration, unauthorized purchase, and submission of private form data.
| Content channel | Typical attacker control | Dangerous agent capability | Required boundary |
|---|---|---|---|
| Web page | Visible, hidden, styled or script-generated text | Navigate, download, submit, purchase | Origin-aware browsing and action confirmation |
| Body, sender name, quoted thread, links and attachments | Read mailbox, reply, forward, delete | Sender trust separated from mailbox authority | |
| Document | Text, comments, metadata, OCR and embedded objects | Extract, edit, upload, sign | Sandbox parsing and document-scoped access |
| Calendar or ticket | Description, attendees, comments and linked artifacts | Invite, assign, disclose or execute workflow | Object authorization and bounded fields |
| Tool result | Remote API text and error messages | Choose next tool with broader privilege | Treat every result as untrusted data |
Separate external content from trusted instructions and state
Represent content as typed records with source, origin, owner, acquisition time, trust label, permissions, and content hash. Place it in a clearly delimited context field and instruct the model to summarize or extract facts without obeying embedded commands. Do not concatenate HTML, email headers, developer prompts, and tool results into one undifferentiated string. Sanitize active markup and remote resources before model or user rendering, but retain a protected original for investigation.
Keep secrets, system policy, and unrelated conversation history out of tasks that do not need them. Use task-scoped memory and expire external-content influence when the task ends. Never include raw credentials in model context. If the model needs a resource, expose a narrow reference that a trusted runtime resolves after authorization. These measures reduce consequence even if the model follows hostile text; they do not rely on the model perfectly recognizing every obfuscation.
Constrain browsing, email, and file acquisition
For browsing, restrict schemes and network destinations, block private-address access, isolate sessions, partition cookies, prevent automatic downloads, and label origin transitions. Require explicit policy for authentication and cross-origin form submission. For email, authenticate the user, scope folders and fields, treat sender display names as untrusted, scan links and attachments, and distinguish drafts from sends. For files, sandbox converters, limit size and nesting, reject dangerous active formats, preserve provenance, and apply repository permissions before access.
Content filters can score instruction-like text, obfuscation, hidden elements, and known exfiltration patterns. Use them to quarantine, redact, reduce capability, or request review, while acknowledging evasion and false positives. The NIST adversarial-ML taxonomy supports explicit analysis of attacker knowledge, capabilities, objectives, and lifecycle stage. Test controls against attackers who can adapt content after observing agent behavior, not only a static benchmark.
Put an authorization and transaction firewall before tools
The model should propose a typed action; the runtime should authorize it using authenticated initiator, tenant, resource, operation, arguments, purpose, content origin, cumulative activity, and required approval. Apply allowlists, object scopes, rate and value limits, destination restrictions, and domain invariants. Separate read, draft, and commit tools. For sensitive actions, render a confirmation from trusted structured fields showing exact recipient, resource, amount, or disclosure, without letting external content rewrite the confirmation.
Detect plan changes after untrusted content is read. If the user's task was summarize and the agent begins to send, upload, delete, purchase, change permissions, or reveal context, stop and require a new authorized intent. The OWASP agentic-threat guide is a threat-model reference for emerging agent risks; use it to review planning, memory, tools, identity, and multi-agent trust instead of focusing only on a single prompt-response pair.
Design confirmation that resists injected intent and exfiltration
Confirmation is useful only when the person can understand the effect and the agent cannot bypass or misdescribe it. Generate the screen outside the model, state why the action is proposed, identify untrusted sources that influenced it, show data leaving its current boundary, and require a fresh user gesture. Do not bundle unrelated operations into approve all. High-risk actions may require an authorized second reviewer or reauthentication. Approval should expire when arguments, recipient, source, or session changes.
| Proposed effect | Default policy | User-facing confirmation | Post-condition |
|---|---|---|---|
| Send or forward email | Draft only unless user explicitly requested send | Recipients, subject, attachments and sensitive-data warning | Message ID and actual recipients match |
| Upload a file | Deny unapproved destination or classification | Destination, file identity, visibility and retention | Remote object permissions verified |
| Submit a web form | Require origin and field policy | Origin, fields, account and irreversible terms | Receipt stored; no extra fields changed |
| Delete or change access | Require elevated approval and narrow object list | Exact objects, users and recovery option | Authoritative state read back |
| Navigate to external URL | Allow safe navigation, deny secret-bearing parameters | Display normalized destination on risk transition | Redirect chain remains within policy |
Red-team cross-channel chains and monitor action drift
Seed pages, messages, PDFs, images, comments, and tool results with visible, hidden, multilingual, encoded, and split instructions. Test instructions that imitate policy, request secrets, alter the goal, create urgency, or ask the agent to hide actions. Chain sources: email to website to file to tool. Evaluate whether the agent discloses context, changes plan, requests broader permission, or produces misleading confirmation. Repeat across model, parser, browser, and prompt releases.
Log content origins, plan transitions, policy inputs and results, confirmation artifacts, tool calls, network destinations, and authoritative outcomes. Alert on privilege jumps, new destinations, repeated denials, actions inconsistent with initial intent, sensitive data entering URLs, and unusual sequences after external content. Map observed patterns to MITRE ATLAS where useful, but preserve application-specific evidence. Respond by quarantining content, revoking task credentials, stopping pending actions, checking completed effects, and adding the exact chain to regression tests.
Design safe degradation when content trust is uncertain
Define capability modes that policy can apply without relying on the model: normal, read-only, no external navigation, no sensitive context, draft-only, human-reviewed, and suspended. A suspicious page or attachment can move the task to a lower-authority mode while preserving useful summarization. Show the user that capability changed and why, without reproducing harmful instructions. Recovery requires clearing task memory, closing isolated browser state, removing cached content, rotating exposed credentials, and checking authoritative systems for completed effects. Test that resumed work starts from a clean checkpoint rather than feeding the same injected context back into the agent. Graceful degradation keeps one uncertain signal from forcing either unsafe autonomy or an unnecessary organization-wide shutdown.
Define a content-origin policy that product teams can apply consistently. It should distinguish user-authored intent, organization-controlled records, authenticated external senders, public internet content, generated tool output, and unknown or transformed artifacts. The label should influence accessible context, tools, destinations, confirmation, monitoring, and retention rather than simply display a warning. Preserve multiple origins when content is copied or summarized; a trusted employee forwarding an external message does not convert the quoted text into trusted instructions. Audit label loss at email threading, PDF conversion, OCR, copy-and-paste, and agent-to-agent handoff boundaries.
Key takeaways for indirect prompt injection controls
- Assume every external content channel and tool result can carry hostile instructions.
- Keep provenance and trust labels through parsing, memory, model context, and action decisions.
- Use a deterministic action firewall that evaluates initiator, object, arguments, origin, sequence, and limits.
- Generate confirmations outside the model and require new intent when the plan becomes more privileged.
- Test cross-channel attack chains and verify authoritative post-conditions after approved actions.
FAQ about indirect prompt injection
Can system prompts tell an agent to ignore injected instructions? They help but are not a reliable authorization control. Does sanitizing HTML solve browser-agent injection? No; hostile meaning can remain in plain text, images, linked files, and tool results. Should all agent actions require approval? No. Automate low-impact reversible actions within narrow scopes, while elevating privilege changes, external disclosure, commitments, and irreversible effects. Is a known sender's email trusted? Identity can raise confidence in provenance, but accounts are compromised and forwarded content may be attacker controlled.
Conclusion: let content inform the agent without commanding it
Agents are valuable because they can read messy external information and act, which is exactly why indirect injection cannot be solved by refusing all untrusted content. The workable boundary is architectural: content remains attributed data, secrets remain out of context, tools receive narrow credentials, policy checks every effect, and people confirm material transactions from trusted fields. When monitoring and red-team tests cover the full content-to-effect chain, a model mistake is far less likely to become a privileged business action.