OWASP catalogs first wave of real-world indirect prompt injection incidents

OWASP released its first structured catalogue of real-world indirect prompt injection incidents, documenting 14 confirmed cases where external content — web pages, documents, calendar invitations — manipulated an AI assistant's actions in ways that users did not authorise. The incidents range from credential harvesting via a maliciously crafted email to data exfiltration via a prompt-injected document that instructed an AI agent to forward file contents to an external address.

**What indirect prompt injection is and why it differs from standard attacks.** Direct prompt injection — telling a chatbot to ignore its instructions — is well-understood and partially mitigated in production AI systems. Indirect prompt injection is structurally different: the malicious instruction is embedded in content that the AI is asked to process legitimately (read this document, summarise this email, analyse this web page). The AI does not distinguish between the user's genuine instruction and the instruction embedded in the content it is processing. No user error is required; the attack succeeds when the AI does what it was designed to do.

**APAC enterprise exposure surface.** The highest-risk deployments are those where AI agents have write permissions — the ability to send emails, update CRM records, create calendar events, or execute code. AI assistants with access to enterprise communication systems and authorisation to take actions on the user's behalf are the primary attack surface. This includes: AI email assistants (several major enterprise platforms), document analysis agents with write-back to source systems, and customer service AI that can update account records.

**Mitigation patterns that work.** OWASP's catalogue includes defensive patterns that demonstrably reduce (but do not eliminate) indirect injection risk: instruction isolation (separating system prompts from user content at the architecture level), output sandboxing (validating agent action requests against a whitelist before execution), and human-in-the-loop approval for write actions above a risk threshold. None of these are implemented by default in off-the-shelf AI agent frameworks.

**AIMenta's editorial read.** Every APAC enterprise deploying an AI agent with write permissions should treat indirect prompt injection as a production security requirement — not a research curiosity. The OWASP catalogue provides a starting point for a structured threat model. If your AI agent can send an email or update a record, it should be evaluated against the patterns documented in this catalogue before going live.