Attackers are increasingly exploiting generative AI by embedding malicious prompts in macros and exposing hidden data through parsers.
The switch in adversarial tactics — noted in a recent State of File Security study from OPSWAT — calls for enterprises to extend the same type of protection they already apply to software development pipelines into AI environments, according to experts in AI security polled by CSO.
“Broadly speaking, this threat vector — ‘malicious prompts embedded in macros’ — is yet another prompt injection method,” Roberto Enea, lead data scientist at cybersecurity services firm Fortra, told CSO. “In this specific case, the injection is done inside document macros or VBA [Visual Basic for Applications] scripts and is aimed at AI systems that analyze files.”
Enea added: “Typically, the end goal is to mislead the AI system into classifying malware as safe.”
Dane Sherrets, staff innovations architect at bug bounty platform HackerOne, said that embedding malicious prompts in macros is a prime example of where the capabilities of gen AI can be turned against the systems themselves.
“This technique uses macros to deliver a form of prompt injection, feeding deceptive inputs that push the LLM to behave in an unintended way,” Sherrets said. “This can cause the system to spit out sensitive or confidential data or help the malicious actor gain access to the back end of the system.”
Zero-click prompt injection
Isolated examples of exploits and malware abusing gen AI only began emerging earlier this year.
For example, Aim Security’s researchers recently discovered EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability discovered in Microsoft 365 Copilot, and described as the first such attack on an AI agent.
“Attackers could embed hidden instructions in common business files like emails or Word documents, and when Copilot processed the file, it executed those instructions automatically,” Quentin Rhoads-Herrera, VP of cybersecurity services at Stratascale, explained.
In response to the vulnerability, Microsoft recommended patching, restricting Copilot access, stripping hidden metadata from shared files, and enabling its built-in AI security controls.
Another similar attack, CurXecute (CVE-2025-54135), allowed remote code execution through prompt injection in software development environments.
“Attackers will keep finding novel ways to embed their prompt injections in places that are out of sight for the user but are processed by the LLM nonetheless,” said Itay Ravia, Aim Labs’ head of research. “Embedding prompt injections in macros is just one of the latest trends.”
Jedi mind trick turned against AI-based malware scanners
The “Skynet” malware, discovered in June 2025, featured an attempted prompt injection against AI-powered security tools. The technique was designed to manipulate AI malware analysis systems into falsely declaring no malware was detected in a sample through a form of “Jedi mind trick.”
Researchers at Check Point reckon the malware was most likely a proof-of-concept experiment by malware developers.
“We’ve already seen proof-of-concept attacks where malicious prompts are hidden inside documents, macros, or configuration files to trick AI systems into exfiltrating data or executing unintended actions,” Stratascale’s Rhoads-Herrera commented. “Researchers have also demonstrated how LLMs can be misled through hidden instructions in code comments or metadata, showing the same principle at work.”
Rhoads-Herrera added: “While some of these remain research-driven, the techniques are quickly moving into the hands of attackers who are skilled at weaponizing proof-of-concepts.”
Under the radar
Ensar Seker, CISO at threat intelligence vendor SOCRadar, described the abuse of gen AI systems through prompt injection as an evolution in malware delivery tactics.
“It’s not just about dropping a payload anymore; it’s about crafting dynamic instructions that can manipulate behavior at runtime, and then hiding or encoding those instructions so they evade traditional scanning tools,” Seker said.
Jason Keirstead, VP of security strategy at security operations firm Simbian AI, said that many prompt injection attacks against gen AI systems are going under the radar.
“For example, people are putting malicious prompts in resumes they upload to recruitment sites, causing the AIs used in job portals to surface their resume at the top,” Keirstead explained. “We also have recently seen the malicious prompts that targeted the Comet browser, etc.”
Stealthy and systemic threat
Dorian Granoša, lead red team data scientist at AI security specialists SplxAI, said that prompt injection has become a “stealthy and systemic threat” In real-world deployments tested by the firm.
“Attackers conceal instructions via ultra-small fonts, background-matched text, ASCII smuggling using Unicode Tags, macros that inject payloads at parsing time, and even file metadata (e.g., DOCX custom properties, PDF/XMP, EXIF),” Granoša explained. “These vectors evade human review yet are fully parsed and executed by LLMs, enabling indirect prompt injection.”
Countermeasures
Justin Endres, head of data security at cybersecurity vendor Seclore, argued that security leaders can’t rely on legacy tools alone to defend against malicious prompts that turn “everyday files into Trojan horses for AI systems.”
“[Security leaders] need layered defenses that sanitize content before it ever reaches an AI parser, enforce strict guardrails around model inputs, and keep humans in the loop for critical workflows,” Endres advised. “Otherwise, attackers will be the ones writing the prompts that shape your AI’s behavior.”
Defending against these types of attacks involves a combination of technical defense procedures and policy controls, such as:
Perform deep inspection of any file that enters an enterprise environment, especially from untrusted sources. “Use sandboxing, static analysis, and behavioral simulation tools to see what the macros or embedded prompts actually do before opening,” SOCRadar’s Seker advised.
Implement policies that isolate macro execution — for example, application sandboxing or Microsoft’s protected view.
Evaluate content disarm and reconstruction (CDR) tools. “CDR rebuilds files without active content, neutralizing embedded threats,” SOCRadar’s Seker explained. “This is especially effective for PDFs, Office files, and other structured documents.”
Sanitize any input (prompts) into generative AI systems.
Design AI systems to include a “verification” component that reviews inputs and applies guardrails.
Apply clear protocols for validating AI outputs.
The most effective countermeasures come down to visibility, governance, and guardrails, according to Stratascale’s Rhoads-Herrera.
SOCRadar’s Seker argued that enterprises should treat AI pipelines the same way they handle CI/CD pipelines by extending zero-trust principles into their data parsing and AI workflows. In practice this means introducing guardrails, enforcing output verification, and using contextual filters to block unauthorized instructions from being executed or acted on by LLM-based systems.
“I strongly encourage CISOs and red teams to begin testing AI-enabled workflows against adversarial prompts today, before threat actors make this mainstream,” Seker concluded.
No Responses