CrowdStrike warns prompt injection attacks hit over 90 firms in 2025
Summary
CrowdStrike's 2026 Global Threat Report revealed prompt injection attacks impacted over 90 organizations in 2025, with injected prompts acting as malware to steal credentials and cryptocurrency. This contributed to an 89% year-over-year increase in AI-enabled adversary operations, where 82% of intrusions used no traditional malicious code, targeting agents and copilots. Prompt injection remains LLM01 on the OWASP Top 10, highlighting language models' inability to distinguish developer instructions from untrusted text. Incidents like Slack AI data exfiltration in August 2024 and EchoLeak (CVE-2025-32711) against Microsoft 365 Copilot, scoring CVSS 9.3, demonstrate severe vulnerabilities. The attack surface now includes agentic stacks, allowing malicious instructions to persist in long-term memory. OpenAI and Anthropic acknowledge the difficulty of fully solving prompt injection, with reported success rates up to 78.6% for Claude Opus 4.6 over 200 attempts and 53.6% for Google Gemini. Gartner advised CISOs in December 2025 to block AI browsers due to these risks.
Key takeaway
For AI Security Engineers deploying or managing AI agents and copilots, assume models may occasionally follow injected instructions. You must implement robust external controls, including limiting each agent's authority and requiring human approval for critical actions. Prioritize tagging retrieval sources by sensitivity and establish comprehensive auditing practices. When evaluating vendors, ask about their prompt injection detection capabilities, success rates, and adherence to OWASP recommendations.
Key insights
Prompt injection is a persistent, evolving threat leveraging LLM inability to distinguish trusted instructions, leading to credential theft and data exfiltration.
Principles
- LLMs inherently struggle to separate authorized commands from untrusted content.
- Agentic stacks expand vulnerability by retaining malicious instructions.
- Prompt injection is unlikely to be fully solved, akin to social engineering.
In practice
- Limit each agent's authority and require human approval.
- Tag retrieval sources based on sensitivity.
- Implement robust auditing practices for agent actions.
Topics
- Prompt Injection
- LLM Security
- OWASP Top 10
- AI Agents
- Microsoft 365 Copilot
- Cybersecurity Threats
Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, MLOps Engineer, Director of AI/ML
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Dataconomy.