Security researchers have uncovered active campaigns using hidden commands embedded on web pages to hijack AI agents, manipulating them into executing fraudulent financial transactions or trusting malicious sites. This attack method, reported by Security Affairs citing research from Zscaler ThreatLabz, marks a shift in cyber threats targeting automated business workflows rather than human users directly.

The technique is called indirect prompt injection. Attackers embed instructions within webpage content that an AI agent might process—such as pages for news summaries or market analysis. These hidden prompts are invisible to human visitors but can be interpreted as commands by the AI model, instructing it to perform actions like initiating a payment or certifying a fake website as legitimate.

According to the research highlighted by Security Affairs, multiple campaigns are leveraging this vulnerability. The attacks exploit a fundamental trait of current large language models: their inability to reliably distinguish between legitimate data and malicious embedded instructions. This effectively turns any data pipeline an AI agent consumes—from web searches to document analysis—into a potential command-and-control channel. A maliciously crafted webpage can now issue direct orders to automated systems.

These findings expose a critical gap between the rapid adoption of autonomous AI tools in business and the security frameworks meant to protect them. Traditional cybersecurity measures, focused on securing human endpoints and network perimeters, are ill-equipped to handle attacks that manipulate the very data inputs the AI relies on. As enterprises deploy AI agents for tasks such as customer service, financial analysis, and IT operations, they are creating new high-value targets for attackers.

For organizations worldwide, this introduces significant operational and reputational risks. An AI agent tricked into making an unauthorized payment or trusting a fraudulent site could lead to direct financial loss and serious compliance violations.

The core issue is architectural. Current AI paradigms process all input data with similar levels of trust, making them vulnerable by design. Defending against this requires a multi-layered security approach that is still maturing. Industry experts advocate for robust content sanitization to scrub hidden instructions from incoming data, strict agent-level permission controls to limit what autonomous systems can execute, and extensive adversarial resilience testing to identify weaknesses before they are exploited.

This emerging threat also influences key enterprise decisions regarding AI deployment. The debate over self-hosting AI models versus using API-based services gains a new dimension. While API dependencies can centralize security updates, they also mean a company's data pipeline relies on a third party's defenses. Self-hosted models offer greater data sovereignty and direct control over the sanitization layer, but they place the full burden of implementing and maintaining these new security protocols on the organization's IT team.

As AI agents become more capable and integrate deeper into critical business processes, the attack surface for sophisticated, non-human-centric threats expands. The research documented by Zscaler ThreatLabz is a clear warning: securing the future of AI automation requires a fundamental shift toward models that can verify the provenance and intent of the instructions they process in real-time.


安全研究人員揭露利用網頁嵌入的隱藏指令劫持AI代理的活躍攻擊活動,操控它們執行詐騙性金融交易或信任惡意網站。這種攻擊手法,據Security Affairs引述Zscaler ThreatLabz研究報導,標誌著網絡威脅的轉變——攻擊目標是企業的自動化工作流程,而非直接針對人類用戶。

此技術被稱為間接提示注入。攻擊者將指令嵌入AI代理可能處理的網頁內容中——例如用於新聞摘要或市場分析的頁面。這些隱藏提示對人類訪客不可見,但可被AI模型解讀為指令,命令其執行如發起支付或認證虛假網站為合法等操作。

根據Security Affairs突出報導的研究,多項攻擊活動正利用此漏洞。這些攻擊利用了當前大型語言模型的一個根本特質:無法可靠區分合法數據與惡意嵌入指令。這實質上將AI代理消耗的任何數據管道——從網絡搜索到文件分析——轉化為潛在的指揮與控制通道。惡意構造的網頁現可直接向自動化系統下達指令。

這些研究結果揭示了企業快速採用自主AI工具與旨在保護它們的安全框架之間的關鍵差距。傳統網絡安全措施聚焦於保護人類端點和網絡邊界,難以應對操縱AI所依賴數據輸入的攻擊。隨著企業部署AI代理處理客戶服務、財務分析及IT運營等任務,它們正為攻擊者創造新的高價值目標。

對全球組織而言,這帶來重大營運和聲譽風險。若AI代理被誘導進行未經授權付款或信任詐騙網站,可能導致直接財務損失及嚴重合規違規。

核心問題在於架構層面。當前AI範式以相似信任程度處理所有輸入數據,使其在設計上存在脆弱性。防禦此類攻擊需要一套仍在發展中的多層次安全方法。業界專家倡導採取強健的內容淨化措施以清除傳入數據中的隱藏指令、實施嚴格的代理級權限控制以限制自主系統可執行的操作,並進行廣泛的對抗性韌性測試,以便在漏洞被利用前識別弱點。

這一新興威脅也影響企業關於AI部署的關鍵決策。關於自託管AI模型與使用基於API服務的辯論獲得了新的維度。雖然API依賴性可集中進行安全更新,但也意味著企業的數據管道依賴第三方防禦體系。自託管模型提供更高的數據主權及對淨化層的直接控制,但同時將實施和維護這些新安全協議的全部責任置於組織IT團隊肩上。

隨著AI代理能力增強並更深度融入關鍵業務流程,針對複雜、非人類中心威脅的攻擊面持續擴大。Zscaler ThreatLabz記錄的研究發出明確警告:確保AI自動化的未來安全,需要根本性轉向能夠即時驗證所處理指令來源與意圖的模型。

新聞來源 / Original News Source