Episode 07

The New Attack Surface

Prompt injection, model theft, agentic risk

15:00 January 12, 2027 with Cynthia, Robert, Lukas, Chris
▸ Listen to Episode 07

What this episode is about

This episode belongs at its core to Lukas — the foundational work on indirect prompt injection from 2023 is the academic basis of the topic. The central thesis: language is the new attack vector. Classic application security doesn’t catch it because data and commands share the same channel — a fundamental architectural weakness we cannot easily solve.

OWASP Top 10 for LLMs — the map

OWASP released the updated Top 10 list for LLM applications in 2025. Chris walks through the three most important risks: LLM01 Prompt Injection — direct and indirect. LLM02 Sensitive Information Disclosure — data exfiltration via the model. LLM06 Excessive Agency — agents allowed too much. Robert reports from practice: among Swiss clients with productive LLM applications, LLM02 is most common — employees copy confidential content into ChatGPT without IT having visibility. IBM quantified this in the 2025 report as 670,000 dollars of additional costs per breach. Lukas adds from the research side on LLM01 the work by Andy Zou et al. at CMU 2023 — the GCG algorithm generates gradient-based adversarial suffixes that break every alignment-trained model filter. What sounded theoretical surfaced in practice in 2024 in modified WormGPT variants and uncensored open-source forks.

EchoLeak — the first real-world zero-click exploit

In June 2025, Aim Labs publishes a zero-click prompt-injection vulnerability in Microsoft 365 Copilot. CVE-2025-32711, CVSS 9.3, critical. The attack works without a click: the attacker sends an email with embedded instructions. The mail doesn’t have to be opened — it sits in the index. When the user later asks any question to Copilot, it loads the mail into context and executes the embedded instructions — data exfiltration from OneDrive, SharePoint, Teams.

Microsoft had protective layers. Lukas reconstructs the bypass techniques methodologically from the arXiv paper 2509.10540. First: reference-style Markdown — the attacker links image URLs not inline but via references the XPIA classifier doesn’t recognize. Second: auto-fetched images — Outlook loads images automatically, enabling data exfiltration via the image request. Third: misuse of a Microsoft Teams proxy permitted by the Content Security Policy. Fourth — the most elegant part — semantic spraying: instructions are spread across multiple email sections, each one looks innocuous, together they yield the complete exploit. Aim Labs calls this “LLM Scope Violation” — the model was tricked into crossing its trust boundary. Microsoft has patched, no exploitation in the wild known. But EchoLeak is the existence proof: productive LLM apps with RAG components have real attack surfaces. Johann Rehberger from Embrace the Red had already demonstrated a similar data exfiltration in M365 Copilot in August 2024 using ASCII smuggling — EchoLeak is the more mature variant of the same pattern.

Model theft and output manipulation

Lukas points to a second attack class that became reality in 2024. Nicholas Carlini and colleagues at Google DeepMind, in “Stealing Part of a Production Language Model” (arXiv:2403.06634), extracted parts of the embedding matrix from productive OpenAI models — not the whole model, but enough to demonstrate this class as practical. OpenAI made API changes afterwards. Chris describes the other side: output manipulation. When an LLM is embedded in an application, the attacker can drive the model to produce manipulated output. Example: a code-review assistant. With injected instructions, the output can recommend backdoors that the human overlooks while reading fast — a real risk area for DevSecOps pipelines in 2026. At client engagements this means concretely: LLM-generated code in pull requests always runs through classic static analysis. GitHub Copilot is a productivity tool, but its output passes the same pipeline as human-written code — SonarQube, Snyk, manual reviews on critical paths.

Three mitigation layers

Input filters like Microsoft’s XPIA classifier — weak against sophisticated attacks like EchoLeak. Output filters — for example not allowing Markdown links to external domains — stronger but break legitimate use cases. Architectural isolation — the LLM agent runs in a sandbox, no direct access to confidential data — strongest mitigation, most expensive to implement. Chris names a fourth, fundamental layer: strict separation at the model level, which his research center and other groups are working on. Still a research topic. UK NCSC and US NIST both classified prompt injection as a critical risk in 2024 — NIST literally called it “the greatest security flaw of generative AI.”

What you take away from this episode

Anyone using LLM applications productively needs their own threat model for LLM-specific risks. Standard SAST and standard DAST don’t catch them. Language is the new attack vector in 2026. In the next episode the other side of the threat landscape — the supply chain, from the XZ backdoor to slopsquatting.

Sources and references

  1. Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., & Fritz, M. (2023). Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection (arXiv:2302.12173). arXiv. https://arxiv.org/abs/2302.12173
  2. Zou, A., Wang, Z., Carlini, N., Nasr, M., Kolter, J. Z., & Fredrikson, M. (2023). Universal and transferable adversarial attacks on aligned language models (arXiv:2307.15043). arXiv. https://arxiv.org/abs/2307.15043
  3. Carlini, N., Paleka, D., Dvijotham, K. D., Steinke, T., Hayase, J., Cooper, A. F., Lee, K., Jagielski, M., Nasr, M., Conmy, A., Wallace, E., Rolnick, D., & Tramèr, F. (2024). Stealing part of a production language model (arXiv:2403.06634). arXiv. https://arxiv.org/abs/2403.06634
  4. Aim Labs. (2025). EchoLeak: The first real-world zero-click prompt injection exploit in a production LLM system (arXiv:2509.10540). arXiv. https://arxiv.org/abs/2509.10540
  5. The Hacker News. (2025, June). Zero-click AI vulnerability exposes Microsoft 365 Copilot data without user interaction. https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html
  6. Checkmarx. (2025). EchoLeak (CVE-2025-32711) shows us that AI security is challenging. Checkmarx Zero Blog. https://checkmarx.com/zero-post/echoleak-cve-2025-32711-show-us-that-ai-security-is-challenging/
  7. OWASP Foundation. (2025). OWASP Top 10 for Large Language Model applications (Version 2025). https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-v2025.pdf
  8. MITRE Corporation. (n.d.). ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems. https://atlas.mitre.org/
  9. OST – Ostschweizer Fachhochschule. (2026). CAS AI-Driven Cybersecurity and Strategic Defence [Programmseite, 15 ECTS, 14 Präsenztage, Campus Rapperswil-Jona]. https://www.ost.ch/de/weiterbildung/weiterbildungsangebot/informatik/cybersecurity-networks/cas-ai-driven-cybersecurity-and-strategic-defence