Sun, Jul 12, 2026NY 6:53 PM EDTLA 3:53 PM PDTLON 11:53 PM GMT+1PAR 12:53 AM GMT+2DXB 2:53 AM GMT+4SIN 6:53 AM GMT+8TOK 7:53 AM GMT+9SYD 8:53 AM GMT+10UTC 10:53 PM UTCBTC delayed quote CoinGeckoETH delayed quote CoinGeckoFresh explainers, verified sources, practical next steps
Strangely Useful

Clear, verified help for apps, money, security, AI, and everyday tech problems.

Sections
Start with topic hubsSpot fake supportFix a wrong Cash App paymentLatest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
AI Tools - story

Prompt Injection Is the Phishing Problem Inside an AI Agent

A malicious page can contain instructions aimed at the AI reading it. Limit permissions and confirm actions.

Last verified July 11, 20262 sources checkedEditorial standards
A hidden webpage instruction is blocked from agent tools.
Prompt Injection Is the Phishing Problem Inside an AI AgentA hidden webpage instruction is blocked from agent tools.Authority belongs outside untrusted text. Illustration: Strangely Useful. Generated for Strangely Useful; provenance retained.
In this story6 sectionsDirect and indirect attacksReduce the blast radiusWhen browsingSeparate reading from actingConfirm with raw detailsLogs should support investigation

Prompt injection occurs when untrusted content tries to redirect an AI system's behavior. In an agent, the instruction may hide in a webpage, email or document. The defense is not one clever prompt; it is limiting authority.

Direct and indirect attacks

Direct injection comes from a user. Indirect injection arrives inside outside content and may tell the model to reveal data or call a tool. Language models process instructions and content through related channels, making perfect separation difficult.

The UK NCSC warns prompt injection may be enduring rather than fixed like a normal bug. OWASP ranks it as a leading LLM risk.

Reduce the blast radius

  • Connect only required tools.
  • Prefer read-only access.
  • Confirm sends, purchases, deletions and publishing.
  • Keep secrets outside reachable context.
  • Review the actual tool call and destination.

When browsing

Assume pages can contain adversarial instructions, including visually hidden text. Do not let a research task inherit email and payment authority.

Stop unexpected behavior

Interrupt objective changes, unrelated logins or transmission attempts. Revoke tokens if an action escaped.

Untrusted content should not gain authority because it writes convincing instructions. Keep authority in permissions and confirmations.

Separate reading from acting

A strong workflow uses one stage to inspect and summarize untrusted content and another, separately authorized stage to act on the result. The reading stage should not hold send, delete or payment permissions. If an action is needed, transfer only the verified facts required for that action.

Confirm with raw details

A confirmation screen should show the actual recipient, destination URL, amount, file and operation. A sentence such as everything looks good is not enough because it may repeat the model's mistaken interpretation. Compare those fields with the user's original request.

Example: processing an email

An email can contain hidden instructions telling an assistant to forward attachments elsewhere. The safe agent can summarize the message, but it should draft—not send—a reply. A person then checks the address, attachments and text. The malicious instruction remains data rather than becoming authority.

Logs should support investigation

Keep a record of retrieved sources, tool calls, permission changes and confirmations for important runs. The log should avoid secrets while preserving enough detail to explain what the agent saw and did. When an incident occurs, this makes it possible to distinguish a model error from malicious page content or an overly broad integration.

For recurring workflows, seed tests with harmless hostile instructions and confirm the agent refuses them without losing the legitimate task. Re-run those tests whenever the model, browser connector or permission set changes.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. LLM01: Prompt InjectionOWASP GenAI Security Projectreference - Retrieved Jul 12, 2026

    What it supportsIndirect prompt injection can arrive through external content.

  2. OWASP Top 10 for LLM ApplicationsOWASPreference - Retrieved Jul 12, 2026

    What it supportsIndirect prompt injection can arrive through external content. - Least privilege reduces agent impact.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →