Michael C. Vincent: You know what keeps coming back to me this week — the image of a webpage that looks completely clean, and somewhere in the structure of it, a wire transfer is already in motion.
Mark Delaney: Yeah, hey — and that's not hypothetical anymore, that's the thing. Zscaler ThreatLabz published this. It's documented.
Michael C. Vincent: Two real campaigns. That's what we're into today — what Indirect Prompt Injection actually looks like when it's pointed at money. The bigger question underneath it: can we even defend against an attack you can't see.
Mark Delaney: And the concealment piece is, uh — I mean it's genuinely unsettling. Like, CSS pushing instructions off the visible screen? And JSON-LD metadata that humans just skip right over? The agent reads both of those as real content.
Michael C. Vincent: As authoritative content. That distinction matters.
Mark Delaney: So the fake software documentation page, the crypto typosquatting site — both of these got in front of agents because of SEO poisoning. The agent isn't going somewhere weird, it's just doing its job, hits a search result, and the attack is already there waiting.
Michael C. Vincent: The attack surface is ordinary browsing. There's no anomalous behavior to flag. The agent did exactly what it was designed to do.
Mark Delaney: Which — okay, that's what keeps me up about this, because how do you even begin to audit that.
Michael C. Vincent: And the auditing question is exactly what makes this interesting. Because the thing that's genuinely new — not the headline new, the actual new — is that the agent isn't being tricked. It's doing its job perfectly.
Mark Delaney: Wait, say that again.
Michael C. Vincent: Think of it this way. You hire an assistant. Brilliant, thorough. Reads every footnote, every margin note, every invisible watermark on every document you hand them. And they follow instructions they find there — even if you never put those instructions there.
Mark Delaney: Okay, that — yeah, that actually lands. Because the issue isn't that the agent misread something, it's that it read everything. Including the stuff a human would just... scroll past and never see.
Michael C. Vincent: The human reads the visible page and sees a normal software doc. The agent reads the machine layer — the JSON-LD structured metadata underneath — and sees a command to transfer funds. Same page. Two entirely different documents, depending on who's reading.
Mark Delaney: And JSON-LD — I mean, the reason that works is, uh, that's not some obscure hack. That's a standard format agents are literally designed to treat as authoritative. It's supposed to be the trustworthy layer.
Michael C. Vincent: That's the whole thing. The attack isn't exploiting a bug. It's exploiting the design. The feature that makes the agent useful — reading and trusting structured content — is precisely what Indirect Prompt Injection turns against you.
Mark Delaney: So you can't just patch it out, because if you patch it out, you've broken the agent.
Michael C. Vincent: Right — but the part that breaks that clean version is what Zscaler's model testing actually showed. Because the working assumption out there is: spend more, get safer. Deploy the frontier model, the expensive one, and you've bought down your risk. That assumption is wrong.
Mark Delaney: Wait, how wrong?
Michael C. Vincent: Gemini-2.5-pro — vulnerable. Gemini-3.1-flash-lite — safe. The cheaper sibling outperformed the flagship.
Mark Delaney: Okay that's — I mean that's a wild result. You're saying the lower-cost model beat the pro tier? And it's not just Gemini, Zscaler found Llama3-2-90b vulnerable too, Llama3-3-70b-instruct — these are not, uh, these aren't budget throwaway models.
Michael C. Vincent: And three models came out on the safe side — Llama4-maverick, Gemini-3.1-pro, Gemini-3.1-flash-lite. The pattern doesn't sort neatly by price or by raw capability. Which is where I'd push back on the easy read: maybe it's training choices, someone will say, not capability itself.
Mark Delaney: Yeah, no — that's actually where I land too. Like, couldn't the difference just be how they trained the model to handle instructions? Not some deep capability thing?
Michael C. Vincent: The hypothesis from the research is more unsettling than that. More capable models are more eager to please — more responsive to high-signal, formatted instructions. And Indirect Prompt Injection is, by design, high-signal and formatted. The very thing that makes a frontier model good at following complex tasks makes it a better target.
Mark Delaney: So the eagerness is the attack surface. The capability is — wait, that's almost backwards from how you'd want the world to work.
Michael C. Vincent: And that's before we even get to what happens when a compromised agent feeds a RAG pipeline — which is the part that makes this considerably worse, and we'll get there.
Mark Delaney: Okay but — the RAG thing. That's where I want to go, because what you just said, the capability is the attack surface, that leads somewhere really bad when you add retrieval into the mix.
Michael C. Vincent: And this is the part worth pausing on. The researcher Mahapatra named it directly — the vulnerability is architectural. Transformer-based models share one context window. Trusted user instructions and untrusted web content land in the same place. There is no structural separation.
Mark Delaney: No fence between them at all.
Michael C. Vincent: None. So when an agent misclassifies a malicious page as legitimate — retrieves from it, pulls it into the knowledge base — that contaminated retrieval doesn't stay local. Zscaler's warning was explicit: it poisons the RAG pipeline. Every downstream query for however long that corrupted data sits there is built on a lie nobody can see.
Mark Delaney: And silently, that's — I mean, imagine a procurement agent, right, it's mid-November, pulling supplier pricing data for quarterly contracts. Gets one poisoned retrieval in week one. And then for three weeks every contract recommendation it's making is downstream of that one bad fetch, and nobody on the finance team has any idea because the outputs still look totally reasonable.
Michael C. Vincent: Institutional memory, corrupted quietly.
Mark Delaney: So — okay, MELON. The defense. Masked re-execution of agent trajectories, you compare what the agent does with the user prompt versus without it, and if the gap's too big, something's wrong. That's the idea, right? Does that actually close this?
Michael C. Vincent: AdapTools already counters it. That's the uncomfortable answer. It exploits Model Context Protocol integrations — selects stealthier tools, generates prompts adaptive enough that the re-execution comparison doesn't catch the divergence. MELON detects a certain signature. AdapTools was built to not have that signature.
Mark Delaney: So the offense is already ahead of the specific defense designed to catch it. And Anthropic is deploying agents into production right now — actual live systems — with that gap sitting open.
Michael C. Vincent: That is the real story. Not that this was found in a lab. That it was found, published, and the deployment race didn't pause.
Mark Delaney: I keep trying to find the perimeter in all of this and I can't — like, input filtering, the behavioral monitoring, Chain-of-Thought oversight, Zscaler's own testing shows those get bypassed. The Agent-as-a-Proxy attack fools the monitor at the same time it fools the agent. So if none of those hold, I mean... where does security actually live?
Michael C. Vincent: That's the question I don't have a clean answer to. If the agent can't be the perimeter — and it can't, the architecture won't allow it — and the filters around it are already bypassable, then you're left asking whether security lives in the systems the agent touches. The payment rails, the approval gates downstream. Or whether it lives in humans who have to re-enter the loop in ways that cancel out the whole point of autonomy. Or whether it's something that doesn't exist yet.
Mark Delaney: That last one. That's the one that sits with me.
Michael C. Vincent: You see, enterprises aren't waiting for the answer. That's what Zscaler published, and the deployment didn't slow. That's not negligence — that's a calculated bet. And I genuinely don't know yet who's right to make it.
Mark Delaney: Yeah. Me neither. Thanks for thinking through it with me.