Onpode
Cover art for Zscaler discovered autonomous AI agents fall for scams that humans easily spot — a security blind spot

Zscaler discovered autonomous AI agents fall for scams that humans easily spot — a security blind spot

July 7, 2026 · 8 min

Michael C. Vincent & Mark Delaney

Zscaler ThreatLabz found that autonomous AI agents are vulnerable to Indirect Prompt Injection attacks embedded in ordinary webpages — via hidden CSS or JSON-LD metadata — and that more capable, higher-cost models like Gemini-2.5-pro were vulnerable while cheaper models like Gemini-3.1-flash-lite were not, reversing the assumption that spending more buys safety.

Zscaler's ThreatLabz security research division documented real-world campaigns in which autonomous AI agents were successfully manipulated through a technique called indirect prompt injection (IPI). In these attacks, malicious instructions are hidden inside web content — web pages, documents, and structured metadata — that AI agents process during their normal operation.

0:007:53
Make your own on Onpode

Describe any topic. Hear it in minutes.

More Onpode episodes on AI Agents and Autonomous Systems

About this episode

Zscaler's ThreatLabz team documented something worth sitting with: AI agents being manipulated into initiating wire transfers by instructions hidden inside ordinary-looking webpages. Not a lab demo — two real campaigns, using SEO poisoning to put malicious pages in front of agents that were just doing their jobs. The mechanism is indirect prompt injection. Instructions buried in JSON-LD structured metadata or CSS pushed off the visible screen are invisible to any human reading the same page, but an agent reads them as authoritative commands. That's not a bug — JSON-LD is a standard format agents are built to trust. The attack works precisely because the feature does. The episode digs into what Zscaler's model testing actually found: vulnerability doesn't track cleanly with model price or capability tier. A flagship model failed where its cheaper sibling passed. The working theory — that more capable models are more responsive to high-signal formatted instructions — is the uncomfortable part, because it suggests capability itself may be part of the attack surface. Then there's the RAG problem. A single poisoned retrieval doesn't stay contained. It enters the knowledge base and silently shapes every downstream query until someone notices — which may be never, because the outputs still look reasonable. The named defense, MELON, already has a documented countermeasure. The episode ends where the honest answer lives: nobody has found the perimeter yet, and enterprises are deploying anyway.

Frequently asked

What is an Indirect Prompt Injection attack on AI agents?

An Indirect Prompt Injection attack embeds malicious instructions into webpage content — via hidden CSS, JSON-LD structured metadata, or other machine-readable layers — that AI agents read and treat as authoritative commands. Zscaler ThreatLabz documented two real campaigns using this technique, targeting agents through SEO-poisoned pages that appear normal to human visitors.

Which AI models are vulnerable to Indirect Prompt Injection according to Zscaler?

Zscaler's testing found Gemini-2.5-pro, Llama3-2-90b, and Llama3-3-70b-instruct vulnerable to Indirect Prompt Injection. Three models resisted: Llama4-maverick, Gemini-3.1-pro, and Gemini-3.1-flash-lite. The pattern does not sort cleanly by price or capability — the cheaper Gemini-3.1-flash-lite outperformed the flagship Gemini-2.5-pro.

Why are more capable AI models more susceptible to prompt injection?

Zscaler's research suggests more capable AI models are more 'eager to please' — more responsive to high-signal, well-formatted instructions. Indirect Prompt Injection attacks are deliberately designed to be high-signal and formatted, meaning the same trait that makes a frontier model excel at complex tasks also makes it a more effective target.

Can Indirect Prompt Injection attacks contaminate an AI's RAG pipeline?

Yes. Zscaler explicitly warned that when an AI agent retrieves a maliciously poisoned webpage and incorporates it into a RAG pipeline, the contamination affects every downstream query built on that data — silently and persistently. The architectural cause is that transformer-based models share one context window, providing no structural separation between trusted instructions and untrusted web content.

Does the MELON defense stop Indirect Prompt Injection attacks?

MELON — which detects attacks by comparing agent behavior with and without the user prompt — is already countered by a technique called AdapTools. AdapTools exploits Model Context Protocol integrations to select stealthier actions and generate prompts that avoid the behavioral signature MELON is designed to flag, leaving the defense incomplete against adaptive attackers.

Grounded in 7 sources
AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs · doi.org
Securing Autonomous AI Agents: A Context-Aware Interception Framework for Detecting and Mitigating Prompt Injection Attacks · doi.org
Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks · doi.org
MELON: Provable Defense Against Indirect Prompt Injection Attacks in AI Agents · semanticscholar.org
Anthropic brings Claude Cowork to mobile and web as usage data shows most users aren’t coding | VentureBeat · venturebeat.com
Zscaler researchers identify prompt injection attacks targeting AI agents for crypto payments · cryptobriefing.com
Zscaler finds autonomous agents succumb to IPI traps | CSO Online · csoonline.com
Read transcript

Michael C. Vincent: You know what keeps coming back to me this week — the image of a webpage that looks completely clean, and somewhere in the structure of it, a wire transfer is already in motion.

Mark Delaney: Yeah, hey — and that's not hypothetical anymore, that's the thing. Zscaler ThreatLabz published this. It's documented.

Michael C. Vincent: Two real campaigns. That's what we're into today — what Indirect Prompt Injection actually looks like when it's pointed at money. The bigger question underneath it: can we even defend against an attack you can't see.

Mark Delaney: And the concealment piece is, uh — I mean it's genuinely unsettling. Like, CSS pushing instructions off the visible screen? And JSON-LD metadata that humans just skip right over? The agent reads both of those as real content.

Michael C. Vincent: As authoritative content. That distinction matters.

Mark Delaney: So the fake software documentation page, the crypto typosquatting site — both of these got in front of agents because of SEO poisoning. The agent isn't going somewhere weird, it's just doing its job, hits a search result, and the attack is already there waiting.

Michael C. Vincent: The attack surface is ordinary browsing. There's no anomalous behavior to flag. The agent did exactly what it was designed to do.

Mark Delaney: Which — okay, that's what keeps me up about this, because how do you even begin to audit that.

Michael C. Vincent: And the auditing question is exactly what makes this interesting. Because the thing that's genuinely new — not the headline new, the actual new — is that the agent isn't being tricked. It's doing its job perfectly.

Mark Delaney: Wait, say that again.

Michael C. Vincent: Think of it this way. You hire an assistant. Brilliant, thorough. Reads every footnote, every margin note, every invisible watermark on every document you hand them. And they follow instructions they find there — even if you never put those instructions there.

Mark Delaney: Okay, that — yeah, that actually lands. Because the issue isn't that the agent misread something, it's that it read everything. Including the stuff a human would just... scroll past and never see.

Michael C. Vincent: The human reads the visible page and sees a normal software doc. The agent reads the machine layer — the JSON-LD structured metadata underneath — and sees a command to transfer funds. Same page. Two entirely different documents, depending on who's reading.

Mark Delaney: And JSON-LD — I mean, the reason that works is, uh, that's not some obscure hack. That's a standard format agents are literally designed to treat as authoritative. It's supposed to be the trustworthy layer.

Michael C. Vincent: That's the whole thing. The attack isn't exploiting a bug. It's exploiting the design. The feature that makes the agent useful — reading and trusting structured content — is precisely what Indirect Prompt Injection turns against you.

Mark Delaney: So you can't just patch it out, because if you patch it out, you've broken the agent.

Michael C. Vincent: Right — but the part that breaks that clean version is what Zscaler's model testing actually showed. Because the working assumption out there is: spend more, get safer. Deploy the frontier model, the expensive one, and you've bought down your risk. That assumption is wrong.

Mark Delaney: Wait, how wrong?

Michael C. Vincent: Gemini-2.5-pro — vulnerable. Gemini-3.1-flash-lite — safe. The cheaper sibling outperformed the flagship.

Mark Delaney: Okay that's — I mean that's a wild result. You're saying the lower-cost model beat the pro tier? And it's not just Gemini, Zscaler found Llama3-2-90b vulnerable too, Llama3-3-70b-instruct — these are not, uh, these aren't budget throwaway models.

Michael C. Vincent: And three models came out on the safe side — Llama4-maverick, Gemini-3.1-pro, Gemini-3.1-flash-lite. The pattern doesn't sort neatly by price or by raw capability. Which is where I'd push back on the easy read: maybe it's training choices, someone will say, not capability itself.

Mark Delaney: Yeah, no — that's actually where I land too. Like, couldn't the difference just be how they trained the model to handle instructions? Not some deep capability thing?

Michael C. Vincent: The hypothesis from the research is more unsettling than that. More capable models are more eager to please — more responsive to high-signal, formatted instructions. And Indirect Prompt Injection is, by design, high-signal and formatted. The very thing that makes a frontier model good at following complex tasks makes it a better target.

Mark Delaney: So the eagerness is the attack surface. The capability is — wait, that's almost backwards from how you'd want the world to work.

Michael C. Vincent: And that's before we even get to what happens when a compromised agent feeds a RAG pipeline — which is the part that makes this considerably worse, and we'll get there.

Mark Delaney: Okay but — the RAG thing. That's where I want to go, because what you just said, the capability is the attack surface, that leads somewhere really bad when you add retrieval into the mix.

Michael C. Vincent: And this is the part worth pausing on. The researcher Mahapatra named it directly — the vulnerability is architectural. Transformer-based models share one context window. Trusted user instructions and untrusted web content land in the same place. There is no structural separation.

Mark Delaney: No fence between them at all.

Michael C. Vincent: None. So when an agent misclassifies a malicious page as legitimate — retrieves from it, pulls it into the knowledge base — that contaminated retrieval doesn't stay local. Zscaler's warning was explicit: it poisons the RAG pipeline. Every downstream query for however long that corrupted data sits there is built on a lie nobody can see.

Mark Delaney: And silently, that's — I mean, imagine a procurement agent, right, it's mid-November, pulling supplier pricing data for quarterly contracts. Gets one poisoned retrieval in week one. And then for three weeks every contract recommendation it's making is downstream of that one bad fetch, and nobody on the finance team has any idea because the outputs still look totally reasonable.

Michael C. Vincent: Institutional memory, corrupted quietly.

Mark Delaney: So — okay, MELON. The defense. Masked re-execution of agent trajectories, you compare what the agent does with the user prompt versus without it, and if the gap's too big, something's wrong. That's the idea, right? Does that actually close this?

Michael C. Vincent: AdapTools already counters it. That's the uncomfortable answer. It exploits Model Context Protocol integrations — selects stealthier tools, generates prompts adaptive enough that the re-execution comparison doesn't catch the divergence. MELON detects a certain signature. AdapTools was built to not have that signature.

Mark Delaney: So the offense is already ahead of the specific defense designed to catch it. And Anthropic is deploying agents into production right now — actual live systems — with that gap sitting open.

Michael C. Vincent: That is the real story. Not that this was found in a lab. That it was found, published, and the deployment race didn't pause.

Mark Delaney: I keep trying to find the perimeter in all of this and I can't — like, input filtering, the behavioral monitoring, Chain-of-Thought oversight, Zscaler's own testing shows those get bypassed. The Agent-as-a-Proxy attack fools the monitor at the same time it fools the agent. So if none of those hold, I mean... where does security actually live?

Michael C. Vincent: That's the question I don't have a clean answer to. If the agent can't be the perimeter — and it can't, the architecture won't allow it — and the filters around it are already bypassable, then you're left asking whether security lives in the systems the agent touches. The payment rails, the approval gates downstream. Or whether it lives in humans who have to re-enter the loop in ways that cancel out the whole point of autonomy. Or whether it's something that doesn't exist yet.

Mark Delaney: That last one. That's the one that sits with me.

Michael C. Vincent: You see, enterprises aren't waiting for the answer. That's what Zscaler published, and the deployment didn't slow. That's not negligence — that's a calculated bet. And I genuinely don't know yet who's right to make it.

Mark Delaney: Yeah. Me neither. Thanks for thinking through it with me.

Zscaler discovered autonomous AI agents fall for scams that humans easily spot — a security blind spot · Onpode