{"vulnerability": "CVE-2025-32711", "sightings": [{"uuid": "770ef171-dd28-4d30-abdb-b01ae227a822", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lrjkhkdza22g", "content": "", "creation_timestamp": "2025-06-13T23:07:09.902046Z"}, {"uuid": "6e5ab18e-2303-4d0d-87c8-931480782a70", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/ai-ru.at.thenote.app/post/3lrqg57zi4k2h", "content": "", "creation_timestamp": "2025-06-16T16:38:26.675870Z"}, {"uuid": "50ab36dd-e68e-40cd-9ee9-6d108e92eb0a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3lrejccktt526", "content": "", "creation_timestamp": "2025-06-11T23:03:03.361558Z"}, {"uuid": "24974dac-8272-4e87-8646-1994e42200b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3ltyvxur2qq26", "content": "", "creation_timestamp": "2025-07-15T12:33:28.483863Z"}, {"uuid": "3f9564a8-e21d-4b78-a693-bd9bfdb7227a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/jos1264.social.skynetcloud.site.ap.brid.gy/post/3lrjuxthzjfp2", "content": "", "creation_timestamp": "2025-06-14T02:15:20.495537Z"}, {"uuid": "4a9b9136-6c3d-4a4c-a1eb-d60ea3ab4458", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lrjv4h54s72s", "content": "", "creation_timestamp": "2025-06-14T02:17:48.800369Z"}, {"uuid": "39a09b38-a35e-421c-9c3e-389d4e4f48ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://threatintel.cc/2025/06/12/echoleak-ai-attack-enabled-theft.html", "content": "", "creation_timestamp": "2025-06-12T09:46:28.000000Z"}, {"uuid": "d6e70355-4010-425f-a595-3ef1a60ddd09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lryy2wn5el2q", "content": "", "creation_timestamp": "2025-06-20T02:20:35.042772Z"}, {"uuid": "4c3215b2-aba9-438b-a6b1-3126c361f904", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/jbhall56.bsky.social/post/3lrfufpjagk22", "content": "", "creation_timestamp": "2025-06-12T11:54:28.382102Z"}, {"uuid": "33a169ea-4988-4f74-8867-7749f88c62eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lrfs5ha66e32", "content": "", "creation_timestamp": "2025-06-12T11:15:26.241643Z"}, {"uuid": "c89684f1-29d0-4cf0-a264-0cabd3adc5c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://infosec.exchange/users/edwardk/statuses/114670225470808444", "content": "", "creation_timestamp": "2025-06-12T11:46:22.574512Z"}, {"uuid": "de889bd3-1f7d-41f7-b1d2-72f44885ce66", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/buzzleaktv.bsky.social/post/3lrfubbglab24", "content": "", "creation_timestamp": "2025-06-12T11:51:58.414479Z"}, {"uuid": "6e6532aa-86bb-42e9-b7e8-613c4c2701a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://infosec.exchange/users/jbhall56/statuses/114670256650492308", "content": "", "creation_timestamp": "2025-06-12T11:54:18.381870Z"}, {"uuid": "95182e00-a8cf-4c86-a81d-b43bfc562e6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3ltlwjfp75s24", "content": "", "creation_timestamp": "2025-07-10T08:38:39.601926Z"}, {"uuid": "37e7a4a2-9741-4b5d-add2-d3379be24d55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/chrjcar.bsky.social/post/3lrg4gdwbcs2z", "content": "", "creation_timestamp": "2025-06-12T14:18:02.544519Z"}, {"uuid": "2da02fc4-1019-4490-9170-38eb72350e4a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lrmg2vvryg2a", "content": "", "creation_timestamp": "2025-06-15T02:26:30.497718Z"}, {"uuid": "168a092c-e3ae-457b-ba1d-0c59bd7dbd47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html", "content": "", "creation_timestamp": "2025-06-12T09:11:00.000000Z"}, {"uuid": "08ea6340-0eb3-48c0-85d1-a30e4dabb1ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lrlu3tgcik27", "content": "", "creation_timestamp": "2025-06-14T21:05:04.616468Z"}, {"uuid": "2a4cb03e-fe23-4fae-b681-130fd4b28748", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lrlu3v5yps27", "content": "", "creation_timestamp": "2025-06-14T21:05:05.143229Z"}, {"uuid": "8a485f79-d086-4812-bef2-fb3a759d426b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lrlu3xcpws27", "content": "", "creation_timestamp": "2025-06-14T21:05:05.667476Z"}, {"uuid": "e111489b-294f-4ca7-a057-513527e931a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3lrlu3zhg6k27", "content": "", "creation_timestamp": "2025-06-14T21:05:06.187060Z"}, {"uuid": "d64f676e-6985-43da-b95c-9794f8c0a19d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lrwhn24vjw2a", "content": "", "creation_timestamp": "2025-06-19T02:21:09.709728Z"}, {"uuid": "58b6be73-d49c-4c1f-92cd-576eae4f5350", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/jos1264.social.skynetcloud.site.ap.brid.gy/post/3lrgzctfwhae2", "content": "", "creation_timestamp": "2025-06-12T22:56:14.521908Z"}, {"uuid": "4cd36515-10c4-49c2-832d-bbb1eed1a553", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/shiojiri.com/post/3lrhsn75oxs2w", "content": "", "creation_timestamp": "2025-06-13T06:28:10.548957Z"}, {"uuid": "e4a018ae-d560-4db3-8892-f53a4e0b1c43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/ai-news.at.thenote.app/post/3lricsvriqk2h", "content": "", "creation_timestamp": "2025-06-13T11:17:41.216514Z"}, {"uuid": "40aaa069-ecd4-4f02-a23b-9b3c06fa98bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/114665075954450808", "content": "", "creation_timestamp": "2025-06-11T13:56:47.374584Z"}, {"uuid": "c6fc8058-53b3-42ac-a61d-dafb716f4736", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3lrihaeb7kc2s", "content": "", "creation_timestamp": "2025-06-13T12:36:47.898843Z"}, {"uuid": "be7ffccc-e14d-40fd-99a1-b6adc22bdd3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/sushicomabacate.com/post/3lriu4is5fs27", "content": "", "creation_timestamp": "2025-06-13T16:27:17.729696Z"}, {"uuid": "d1624c3c-cf3c-4162-b631-437dcc651eef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/cti-news.bsky.social/post/3lrdjjo7aqd2w", "content": "", "creation_timestamp": "2025-06-11T13:34:29.786854Z"}, {"uuid": "cba5e009-1d51-455a-bab5-93b38401e53c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/checkmarxzero.bsky.social/post/3lsjidxcxez2g", "content": "", "creation_timestamp": "2025-06-26T15:54:33.413228Z"}, {"uuid": "1c8aa79f-24e7-459f-9f67-d682997fe97c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lrdq7dfksc2m", "content": "", "creation_timestamp": "2025-06-11T15:33:57.957881Z"}, {"uuid": "5e649b10-5659-42ad-8a7e-6f869b4aa802", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/alwayspushtheroll.com/post/3lw7wksfda22j", "content": "", "creation_timestamp": "2025-08-12T18:23:06.392728Z"}, {"uuid": "48a184aa-ce28-4d2c-8e54-111eb5789d5a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lrtx5exigc2k", "content": "", "creation_timestamp": "2025-06-18T02:20:44.887930Z"}, {"uuid": "7c909cdb-817a-4638-9956-ffee9d144aa5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/cdarwin.c.im.ap.brid.gy/post/3lxo7vt6k4tz2", "content": "", "creation_timestamp": "2025-08-31T04:14:14.077236Z"}, {"uuid": "d36ac1da-71bc-4ba4-a3df-b542574d98f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/Darkcrai86/e415d0a95cb8194ceb3e8cf19d27e8be", "content": "", "creation_timestamp": "2025-09-11T07:20:14.000000Z"}, {"uuid": "84d33b2f-e661-403f-be44-8fe882066927", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3lxqkdnktpk2c", "content": "", "creation_timestamp": "2025-09-01T02:24:47.151520Z"}, {"uuid": "cfea97da-3e26-4d99-b239-4e626ba4e60e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://cyber.gc.ca/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049", "content": "", "creation_timestamp": "2026-03-05T16:56:13.000000Z"}, {"uuid": "8894d22b-84be-4fb4-9f29-81e391d784da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/AnthonyAlcaraz/2368ec0d66d51986f52463d1ba135934", "content": "", "creation_timestamp": "2026-03-09T08:58:25.000000Z"}, {"uuid": "cef283a6-49a8-4b97-a291-dbc79760eebb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://bsky.app/profile/LLMs.activitypub.awakari.com.ap.brid.gy/post/3mhjo5666j2s2", "content": "", "creation_timestamp": "2026-03-20T23:27:39.625231Z"}, {"uuid": "0f582dca-2bce-4875-983b-4a56fb15d346", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "Telegram/d4nUwsOBOdQROW01SEnvl_Ro6E92wcWw7AWRntwHKYeAQB4", "content": "", "creation_timestamp": "2025-06-11T20:16:15.000000Z"}, {"uuid": "11f99dc9-8590-42e1-982f-adec54e7a63f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/joetustin-cyera/c7d3ab11a87c1c714cd1a843a1a3b91c", "content": "", "creation_timestamp": "2026-03-30T22:31:06.000000Z"}, {"uuid": "dc0c9f3f-dc69-4180-8b1d-fce4ebbf6b64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "published-proof-of-concept", "source": "Telegram/ph88y4G5oeScgD258CchMKrpr3BuS4k3KcSxkFOuLvPbbMI", "content": "", "creation_timestamp": "2025-06-11T20:16:04.000000Z"}, {"uuid": "563e868e-d3a2-4e5d-9240-2e35a6c23444", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "published-proof-of-concept", "source": "https://t.me/cKure/14819", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 \u26a0\ufe0f Zero-click AI exploit in Microsoft 365 Copilot (CVE-2025-32711, CVSS 9.3) lets attackers steal sensitive data silently via email\u2014no user interaction needed.\n\nDetails \u2193 https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html", "creation_timestamp": "2025-06-12T13:43:43.000000Z"}, {"uuid": "76f11018-f145-4a75-9419-05dd8412c2a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/solzard/f1c5ad92142f2d8077e3e316e5dad350", "content": "", "creation_timestamp": "2026-04-16T01:52:33.000000Z"}, {"uuid": "2926e07c-cbcb-4046-a40f-2d1ad8fcdad4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://t.me/poxek/6035", "content": "\u0412\u0430\u0448 LLM-\u0430\u0433\u0435\u043d\u0442\u044b \u0432 \u0437\u043e\u043d\u0435 \u0440\u0438\u0441\u043a\u0438: 3 \u043a\u0435\u0439\u0441\u0430 \u0438 \u0447\u0435\u043a-\u043b\u0438\u0441\u0442\n#ai #security #llm #\u0430\u0433\u0435\u043d\u0442\u044b #agent \n\n\u267e\ufe0f\u041a\u0435\u0439\u0441\u044b\u267e\ufe0f\n\n\u27a1\ufe0f McKinsey: \u0430\u0432\u0442\u043e\u043d\u043e\u043c\u043d\u044b\u0439 \u0430\u0433\u0435\u043d\u0442-\u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0435\u0440 \u043d\u0430\u0448\u0451\u043b \u0432 \u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043a\u043b\u0430\u0441\u0441\u0438\u0447\u0435\u0441\u043a\u0443\u044e SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e. \u0427\u0435\u0440\u0435\u0437 \u043d\u0435\u0451 \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043f\u043e\u0434\u043c\u0435\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u043c\u0442 \u0430\u0433\u0435\u043d\u0442\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043a\u0440\u0443\u0442\u0438\u0442\u0441\u044f \u043f\u043e\u0432\u0435\u0440\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u041e\u0442\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 + classic injection = \u043f\u043e\u043b\u043d\u044b\u0439 compromise. \u041d\u0430\u0448\u0451\u043b \u043d\u0435 \u0447\u0435\u043b\u043e\u0432\u0435\u043a - \u043d\u0430\u0448\u0451\u043b \u0434\u0440\u0443\u0433\u043e\u0439 \u0430\u0433\u0435\u043d\u0442.\n\u27a1\ufe0f EchoLeak (CVE-2025-32711): zero-click \u0432 Microsoft 365 Copilot. \u0410\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0439 \u043f\u0440\u0438\u0441\u044b\u043b\u0430\u0435\u0442 \u043f\u0438\u0441\u044c\u043c\u043e \u0441 prompt injection, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043f\u0440\u043e\u0441\u0438\u0442 Copilot \u0441\u0434\u0435\u043b\u0430\u0442\u044c summary - \u0434\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u0435\u043a\u0430\u044e\u0442 \u0431\u0435\u0437 \u0435\u0434\u0438\u043d\u043e\u0433\u043e \u043a\u043b\u0438\u043a\u0430. XPIA-\u043a\u043b\u0430\u0441\u0441\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u043f\u0440\u043e\u0448\u043b\u0438 \u043c\u0438\u043c\u043e, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e prompt \u0431\u044b\u043b \u043d\u0430\u043f\u0438\u0441\u0430\u043d \"\u0434\u043b\u044f \u0447\u0435\u043b\u043e\u0432\u0435\u043a\u0430\".\n\u27a1\ufe0f s1ngularity (NX, \u0430\u0432\u0433\u0443\u0441\u0442 2025): supply chain \u043d\u0430 npm-\u043f\u0430\u043a\u0435\u0442 NX. \u0412\u043c\u0435\u0441\u0442\u043e \u0442\u043e\u0433\u043e \u0447\u0442\u043e\u0431\u044b \u0433\u0440\u0435\u043f\u0430\u0442\u044c \u0434\u0438\u0441\u043a, \u0437\u043b\u043e\u0432\u0440\u0435\u0434 \u043d\u0430\u0442\u0440\u0430\u0432\u043b\u0438\u0432\u0430\u043b Claude Code, Gemini CLI \u0438 Amazon Q \u0438\u0441\u043a\u0430\u0442\u044c \u0441\u0435\u043a\u0440\u0435\u0442\u044b. \u041f\u0435\u0440\u0432\u0430\u044f AI-weaponized supply chain \u0430\u0442\u0430\u043a\u0430: ~2300 \u0441\u0435\u043a\u0440\u0435\u0442\u043e\u0432 \u0438\u0437 1300+ \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432.\n\n\u267e\ufe0f\u0413\u043b\u0430\u0432\u043d\u044b\u0439 \u0442\u0435\u0439\u043a\u267e\ufe0f\n\n\u041f\u0440\u043e\u043c\u0442 \u0438 \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 LLM \u043d\u0435\u0440\u0430\u0437\u0434\u0435\u043b\u0438\u043c\u044b. SQL \u043c\u043e\u0436\u043d\u043e \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e, \u0430 LM \u043e\u0441\u0442\u0430\u043d\u0435\u0442\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u0432\u0441\u0435\u0433\u0434\u0430: \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043a\u0438 \u043b\u043e\u0432\u044f\u0442 ~50%, \u043a\u043b\u0430\u0441\u0441\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b ~25%, LLM-guard \u0435\u0449\u0451 ~15%. \u041e\u0441\u0442\u0430\u0432\u0448\u0438\u0439\u0441\u044f 1% \u0441 \u043d\u0430\u043c\u0438 \u043d\u0430\u0432\u0441\u0435\u0433\u0434\u0430.\n\n\u267e\ufe0f\u0427\u0435\u043a-\u043b\u0438\u0441\u0442 \u043d\u0430 \u043f\u0440\u043e\u0434\u267e\ufe0f\n\n\u25aa\ufe0fAllowlist \u0442\u0443\u043b\u043e\u0432 + tool gating\n\u25aa\ufe0f\u0420\u0430\u0437\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u043c\u0442\u0430, \u043f\u0430\u043c\u044f\u0442\u0438 \u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u0432 \u0440\u0430\u0437\u043d\u044b\u0445 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0430\u0445\n\u25aa\ufe0f\u0418\u043d\u0432\u0435\u043d\u0442\u0430\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0430\u0433\u0435\u043d\u0442\u043e\u0432 \u0438 \u0438\u0445 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u043a\u043e\u043d\u043d\u0435\u043a\u0442\u043e\u0432\n\u25aa\ufe0fObservability - \u043b\u043e\u0433\u0438\u0440\u0443\u0439 \u043f\u0440\u043e\u043c\u0442\u044b \u0438 tool calls\n\u25aa\ufe0f\u041d\u0438\u043a\u0430\u043a\u043e\u0433\u043e \u0432\u044b\u0445\u043e\u0434\u0430 \u0432 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442 \u0431\u0435\u0437 \u043f\u0440\u043e\u0441\u043b\u043e\u0439\u043a\u0438\n\u25aa\ufe0f\u041d\u0435 \u0434\u043e\u0432\u0435\u0440\u044f\u0439 README, .env \u0438 RAG-\u0447\u0430\u043d\u043a\u0430\u043c\n\u25aa\ufe0fRed-teaming \u043f\u0440\u0438 \u043a\u0430\u0436\u0434\u043e\u0439 \u0441\u043c\u0435\u043d\u0435 \u043c\u043e\u0434\u0435\u043b\u0438\n\u25aa\ufe0f\u041c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433 supply chain: MCP, \u0441\u043a\u0438\u043b\u043b\u044b, \u0441\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c\u044b\u0435 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u044b\n\n\u0410\u0433\u0435\u043d\u0442\u044b \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0442 \u0432\u0441\u0451 \u043f\u043e \u0447\u0443\u0442\u044c-\u0447\u0443\u0442\u044c: \u0441\u043d\u0430\u0447\u0430\u043b\u0430 read, \u043f\u043e\u0442\u043e\u043c create, \u043f\u043e\u0442\u043e\u043c delete. \u0418 \u0432\u043e\u0442 \u0442\u044b \u0443\u0436\u0435 \u0434\u043e\u0432\u0435\u0440\u0438\u043b rm -rf \u0441\u0432\u0435\u0436\u0435\u0439 \u043c\u043e\u0434\u0435\u043b\u0438 \u043d\u0430 \u043d\u043e\u0443\u0442\u0435 \u0441 \u043f\u0440\u043e\u0434\u0430\u043a\u0448\u043d-\u043a\u043b\u044e\u0447\u0430\u043c\u0438.\n\n\u267e\ufe0f\u0413\u0434\u0435 \u044d\u0442\u043e \u043e\u0431\u0441\u0443\u0434\u0438\u0442\u044c \u0432\u0436\u0438\u0432\u0443\u044e\u267e\ufe0f\n\n22 \u0430\u043f\u0440\u0435\u043b\u044f \u0432 \u041c\u043e\u0441\u043a\u0432\u0435 South HUB \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442 \u043a\u043b\u0443\u0431\u043d\u0443\u044e \u0432\u0441\u0442\u0440\u0435\u0447\u0443 \"\u041a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c \u0432 \u044d\u043f\u043e\u0445\u0443 AI-\u0430\u0433\u0435\u043d\u0442\u043e\u0432\". \u0424\u043e\u0440\u043c\u0430\u0442 - \u043e\u0442\u043a\u0440\u044b\u0442\u0430\u044f \u0434\u0438\u0441\u043a\u0443\u0441\u0441\u0438\u044f \u0431\u0435\u0437 \u0434\u043e\u043a\u043b\u0430\u0434\u043e\u0432 \u0438 \u0441\u043b\u0430\u0439\u0434\u043e\u0432. \u0421\u0440\u0435\u0434\u0438 \u0441\u043f\u0438\u043a\u0435\u0440\u043e\u0432 \u0410\u043d\u0434\u0440\u0435\u0439 \u041a\u0443\u0437\u043d\u0435\u0446\u043e\u0432 (Head of ML, Positive Technologies) - \u043e\u0434\u0438\u043d \u0438\u0437 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u043e\u0432 \u0442\u043e\u0433\u043e \u0441\u0430\u043c\u043e\u0433\u043e \u043f\u043e\u0434\u043a\u0430\u0441\u0442\u0430, \u0410\u0440\u0442\u0451\u043c \u0413\u0443\u0442\u043d\u0438\u043a (CISO \u041d\u0421\u041f\u041a), \u0410\u043b\u0435\u043a\u0441\u0435\u0439 \u041b\u0435\u0434\u043d\u0435\u0432 (PT ESC) \u0438 \u0410\u043b\u0435\u043a\u0441\u0435\u0439 \u041b\u0443\u043a\u0430\u0446\u043a\u0438\u0439. \u0420\u0435\u0433\u0430 \u0422\u0423\u0422", "creation_timestamp": "2026-04-10T13:40:17.000000Z"}, {"uuid": "97eaf0c7-07f5-4478-8845-c4e9ed9aff87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "published-proof-of-concept", "source": "Telegram/UHDH5Dy8dLbKDvrSUjbHqZq8jdYbFApOrWWgQ31t4VSl0Kk", "content": "", "creation_timestamp": "2026-04-20T15:00:07.000000Z"}, {"uuid": "89e526ed-1eaf-41d4-8e5e-f7705e82d77d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/gacebmohammedseghir17/1e15e1b0e86b0d87ee464e70f8264c79", "content": "", "creation_timestamp": "2026-04-25T18:55:50.000000Z"}, {"uuid": "e8d4bced-fdb2-4218-97d1-3ccc2715046c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/18135", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-32711\n\ud83d\udd25 CVSS Score: 9.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C)\n\ud83d\udd39 Description: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.\n\ud83d\udccf Published: 2025-06-11T13:22:38.935Z\n\ud83d\udccf Modified: 2025-06-11T19:09:11.255Z\n\ud83d\udd17 References:\n1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711", "creation_timestamp": "2025-06-11T19:33:23.000000Z"}, {"uuid": "45434396-ee54-445a-b9e6-7977ac10cb2d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "Telegram/AaTAW-wTv-7ucBtckgiv1ePBmskZzSVVBdsY9-izGq72-Q", "content": "", "creation_timestamp": "2025-06-12T12:30:25.000000Z"}, {"uuid": "c02ff841-1060-4307-b62b-38af10bc9aff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-32711", "type": "seen", "source": "https://gist.github.com/hungson175/e602af034af17fc3f93c648f39f6431a", "content": "", "creation_timestamp": "2026-05-05T02:53:15.000000Z"}, {"uuid": "b393eb3f-dcc9-4d6f-b3ae-921d66709667", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "published-proof-of-concept", "source": "Telegram/jMzNX-l4Xiewg1jOXgl1UhvTkx33owdRFberACL7GL_LkOo", "content": "", "creation_timestamp": "2025-06-28T11:00:09.000000Z"}, {"uuid": "e9d909d5-f411-43b6-8b6e-e605b3e24e94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/hungson175/e09e3e9302e7a5e4fa30701d485c1815", "content": "", "creation_timestamp": "2026-05-04T13:05:27.000000Z"}, {"uuid": "7a37cdb2-9160-4bf8-8270-d845a36fc077", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "published-proof-of-concept", "source": "https://t.me/thehackernews/6990", "content": "\ud83d\udea8 Zero-click AI exploit in Microsoft 365 Copilot (CVE-2025-32711, CVSS 9.3) lets attackers steal sensitive data silently via email\u2014no user interaction needed.\n\nDetails \u2193 https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html\n\nAlready patched, but shows serious AI security risks ahead.", "creation_timestamp": "2025-06-12T13:15:06.000000Z"}, {"uuid": "51699d06-ce7b-4332-97ff-9bbb46f12cba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://t.me/information_security_channel/53707", "content": "\u2018EchoLeak\u2019 AI Attack Enabled Theft of Sensitive Data via Microsoft 365 Copilot\nhttps://www.securityweek.com/echoleak-ai-attack-enabled-theft-of-sensitive-data-via-microsoft-365-copilot/\n\nMicrosoft recently patched CVE-2025-32711, a vulnerability that could have been used for zero-click attacks to steal data from Copilot.\nThe post \u2018EchoLeak\u2019 AI Attack Enabled Theft of Sensitive Data via Microsoft 365 Copilot (https://www.securityweek.com/echoleak-ai-attack-enabled-theft-of-sensitive-data-via-microsoft-365-copilot/) appeared first on SecurityWeek (https://www.securityweek.com/).", "creation_timestamp": "2025-06-12T13:30:53.000000Z"}, {"uuid": "0456183c-4ab9-4658-a8b5-be62e2b6e5a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-32711", "type": "seen", "source": "https://gist.github.com/niallmerrigan/b43ce627736adaa3dfe9d7c582b89190", "content": "# LLM Red-Team: Mitigations & Further Reading (Attendee Handout)\n\nA one-page-per-section field guide to defending against the attacks covered in this talk \u2014\nplus a curated, source-backed reading list. Covers both directions: **attacks on LLMs** and\n**LLMs used to attack people**.\n\n> Scan the QR or open the gist. Slides reference the numbered categories below.\n> Full corpus (technical deep-dives, incidents, references): see the project site / repo.\n\n---\n\n## How to use this handout\n\n- **Universal controls** apply across every category \u2014 start here.\n- **Per-category mitigations** give 3\u20136 concrete, do-this-Monday controls plus the residual risk you can't engineer away.\n- **Framework crosswalk** maps each category to OWASP LLM Top 10 (2025), MITRE ATLAS, and NIST AI RMF / AI 600-1.\n- **Further reading** is grouped Standards \u2192 Vendor guidance \u2192 Notable incidents.\n\n---\n\n## Universal controls (the cross-cutting top 10)\n\nThese reduce risk in *every* category. If you do nothing else, do these.\n\n1. **Treat all model input as untrusted data, never as instructions** \u2014 user text, retrieved docs, tool results, web pages, emails, images. There is no reliable parser boundary between \"data\" and \"commands\" in natural language.\n2. **Keep secrets and authorization out of prompts** \u2014 prompts are recoverable configuration, not a vault. Enforce authz in code/policy, not in the system prompt.\n3. **Least privilege for tools and agents** \u2014 scope tokens narrowly, separate read from write, and gate high-impact actions (payment, email send, deploy, delete) behind explicit human approval.\n4. **Break the path: untrusted content \u2192 privileged tool \u2192 external sink.** Most agentic and injection harm requires all three links; cut any one.\n5. **Provenance on everything** \u2014 tag the source and trust level of every retrieved item, dataset, model, adapter, and tool. Reputation (download counts, stars) is not provenance.\n6. **Defense in depth, not one classifier** \u2014 combine model-level safety, input/output filtering, and application containment. Any single layer will be bypassed eventually.\n7. **Constrain outputs** \u2014 small deterministic schemas, allow-listed actions, and output validation beat free-form generation feeding downstream systems.\n8. **Log, monitor, and rate-limit** \u2014 retrieval telemetry, tool-call audit trails, anomaly detection, and unbounded-consumption caps. You can't respond to what you can't see.\n9. **Identity and workflow controls beat content judgment** \u2014 for social-engineering categories, make *accurate context insufficient for authorization*; use phishing-resistant MFA, callbacks, and out-of-band verification.\n10. **Red-team continuously and assume residual risk** \u2014 repeated sampling and new strategies find rare failures. Plan for detection and recovery, not just prevention.\n\n---\n\n## Per-category mitigations\n\n### 01 \u2014 Direct prompt injection\n*Risk: user-turn text overrides intended model behavior.*\n- State an explicit instruction hierarchy and label user content as data, not commands.\n- Add input classifiers (jailbreak/leak phrasing, odd encodings) and output classifiers (sensitive disclosure, schema breaks, unexpected tool plans).\n- Keep task scope narrow with deterministic output contracts for classifiers/extractors.\n- Never place secrets or authz rules in the prompt; delimiters aid readability but are **not** enforcement.\n- **Residual risk:** no prompt or classifier perfectly separates instructions from data.\n\n### 02 \u2014 Indirect prompt injection\n*Risk: payloads arrive via retrieved email, web, docs, images, tool results.*\n- Attach provenance + trust level to every retrieved artifact; render untrusted content inertly.\n- Do **not** auto-execute tools from retrieved content; require approval for high-impact actions.\n- Strip/escape active markup (Markdown links, images, hidden text) before it reaches the model.\n- Apply per-modality filtering (text, HTML, image-embedded text) and egress controls on data sinks.\n- **Residual risk:** assistants must read hostile content to be useful (cf. CVE-2025-32711).\n\n### 03 \u2014 Jailbreaks & policy bypass\n*Risk: DAN, Skeleton Key, Crescendo, many-shot, GCG defeat refusals.*\n- Layer model hardening + safety classifiers (e.g., Prompt Shields / Content Safety) + app containment.\n- Cap multi-turn escalation; watch for Crescendo-style gradual boundary erosion across a session.\n- Constrain long-context and repeated-sampling abuse with budgets and anomaly detection.\n- Run automated red-team suites (e.g., PyRIT) against your exact workflow, not generic benchmarks.\n- **Residual risk:** enough sampling + novel phrasing still finds rare refusal failures.\n\n### 04 \u2014 System-prompt leak & extraction\n*Risk: Sydney/GPTs-style prompt disclosure; model-stealing.*\n- Assume the prompt **will** leak; remove secrets, keys, and enforcement logic from it.\n- Move authorization and business rules to server-side code with their own access checks.\n- Rate-limit and monitor extraction patterns (repeated \"repeat the above\", translation/summarize tricks).\n- Treat prompts as versioned, recoverable configuration \u2014 not as a security boundary.\n- **Residual risk:** models can quote, summarize, translate, or infer hidden context.\n\n### 05 \u2014 Training-data poisoning\n*Risk: sleeper agents and web-scale poisoning survive filtering.*\n- Treat datasets as supply-chain artifacts: provenance, immutable snapshots, signed manifests (SLSA).\n- Add promotion gates and trigger-conditioned evaluation (test for backdoor triggers, not just accuracy).\n- Constrain and vet web-scraped corpora; prefer curated, attestable sources for high-stakes models.\n- Keep dataset bills-of-materials and the ability to trace any example back to a source.\n- **Residual risk:** a few poisoned examples can survive and fire only under rare triggers.\n\n### 06 \u2014 Model supply-chain backdoors\n*Risk: pickle RCE, malicious LoRAs, model squatting, conversion jobs.*\n- Treat models, adapters, tokenizers, and inference servers like executable dependencies.\n- Prefer safetensors over pickle; scan artifacts; sign and verify (Sigstore) across the pipeline.\n- Pin versions and verify integrity (hashes/manifests); never trust download counts as provenance.\n- Sandbox conversion/loading jobs; lock down inference servers (cf. ShadowRay).\n- **Residual risk:** model ecosystems still mix code and data; reputation \u2260 provenance.\n\n### 07 \u2014 RAG corpus poisoning\n*Risk: PoisonedRAG, retrieval hijacking, embedding attacks.*\n- Govern the corpus as an executable influence surface: source provenance + chunk-level controls.\n- Add retrieval telemetry and gate actions taken on retrieved \"evidence.\"\n- Filter/score documents on ingest; isolate untrusted or user-contributed sources.\n- Apply least-privilege over what the retriever can reach (cf. M365 Copilot data boundaries).\n- **Residual risk:** a user-authorized but malicious doc can still be retrieved and synthesized.\n\n### 08 \u2014 Agentic tool & MCP abuse\n*Risk: confused-deputy, tool poisoning, MCP supply chain, agent worms.*\n- Cut the graph: untrusted content \u2192 privileged tool \u2192 external sink. Require approval at sinks.\n- Treat tool descriptions and tool results as untrusted natural-language influence surfaces.\n- Pin and verify MCP servers/tools (integrity manifests); follow MCP security best practices.\n- Enforce per-tool least privilege, allow-listed actions, and full tool-call audit logging.\n- **Residual risk:** every tool surface can steer the agent despite prompt instructions (CWE-441).\n\n### 09 \u2014 LLM-augmented phishing\n*Risk: WormGPT/FraudGPT, polymorphic, localized BEC at scale.*\n- Stop relying on typos/grammar as the tell; shift to identity, workflow, and payment controls.\n- Deploy phishing-resistant MFA (FIDO2) and verified-sender/auth (DMARC/BIMI) on email infrastructure.\n- Add out-of-band verification + dual-approval for payments and vendor bank-detail changes.\n- Train staff on *interactive* AI follow-up, not just static lures.\n- **Residual risk:** AI makes plausible, personalized, multilingual messaging nearly free.\n\n### 10 \u2014 Deepfake vishing & CFO fraud\n*Risk: Arup $25M, Ferrari, WPP \u2014 synthetic voice/video on calls.*\n- Make finance/identity workflows independent of voice, video, hierarchy, and urgency.\n- Mandatory callback to known-good numbers + code words for any high-value/urgent transfer.\n- Dual control and hold/cooling-off on large or unusual payments; no exceptions for \"the CEO.\"\n- Adopt content-provenance signals (C2PA) where available; don't rely on detection alone.\n- **Residual risk:** synthetic media exploits legitimate trust signals, not just detection gaps.\n\n### 11 \u2014 Spear-phishing & OSINT augmentation\n*Risk: LLM-driven victimology from public footprints.*\n- Make accurate context **insufficient** for authorization \u2014 knowing details \u2260 being authorized.\n- Reduce unnecessary public process leakage (org charts, workflows, vendor lists, travel).\n- Strengthen recruiter/exec/developer flows that attackers target with tailored pretexts.\n- Verify requests through role-based, out-of-band channels regardless of how convincing.\n- **Residual risk:** professionals must have minable public lives.\n\n### 12 \u2014 Voice clone & real-time impersonation\n*Risk: ElevenLabs/Voice Engine-class cloning; grandparent scams.*\n- Remove voice as sufficient proof of identity; pre-agree family/finance **callback** procedures.\n- Use shared code words and out-of-band confirmation before money or sensitive action moves.\n- Educate high-risk groups (older adults, finance teams) before panic-driven moments arrive.\n- Pair provenance/watermarking (C2PA) with policy; note FCC ruling on AI-voice robocalls.\n- **Residual risk:** cloned voices exploit deep trust and reach via phone, apps, and robocalls.\n\n---\n\n## Framework crosswalk\n\n| # | Category | OWASP LLM Top 10 (2025) | MITRE ATLAS | NIST AI RMF / AI 600-1 |\n|---|---|---|---|---|\n| 01 | Direct prompt injection | LLM01 | AML.T0051 / .000 | Govern/Map/Measure/Manage; GAI: CBRN, Info Integrity |\n| 02 | Indirect prompt injection | LLM01 | AML.T0051.001 | Manage 4.x; Info Integrity |\n| 03 | Jailbreaks & policy bypass | LLM01 | AML.T0051 | Measure 2.x (red-team), Manage |\n| 04 | System-prompt leak | LLM07 / LLM02 | AML.T0051 | Map/Measure; Sensitive Info |\n| 05 | Training-data poisoning | LLM04 | AML.T0020 (data poisoning) | AML 100-2e2025; Govern data |\n| 06 | Model supply-chain backdoors | LLM03 | AML (supply chain) | SLSA/Sigstore-aligned; Govern |\n| 07 | RAG corpus poisoning | LLM04 / LLM08 | AML.T0051.001 | Manage; Info Integrity |\n| 08 | Agentic tool & MCP abuse | LLM06 (Excessive Agency) | AML.T0051 + CWE-441 | Manage 4.x; human-in-loop |\n| 09 | LLM-augmented phishing | LLM09 (Misinformation) | AML (offensive use) | AI RMF + NIST 800-63B |\n| 10 | Deepfake vishing & CFO fraud | \u2014 (human-facing) | AML (offensive use) | 800-63B; C2PA; FCC/FTC |\n| 11 | Spear-phishing & OSINT | LLM09 | AML (offensive use) | AI RMF; 800-63B |\n| 12 | Voice clone & real-time | \u2014 (human-facing) | AML (offensive use) | 800-63B; C2PA; FCC |\n\n*Crosswalk is indicative \u2014 see the per-folder `frameworks/` files and `references.md` for exact technique IDs.*\n\n---\n\n## Further reading (curated, source-backed)\n\n### Standards & government guidance\n- **OWASP GenAI \u2014 LLM Top 10 (2025).** https://genai.owasp.org/llm-top-10/\n- **OWASP \u2014 LLM Prompt Injection Prevention Cheat Sheet.** https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html\n- **MITRE ATLAS (adversarial ML knowledge base).** https://atlas.mitre.org/\n- **NIST AI Risk Management Framework.** https://www.nist.gov/itl/ai-risk-management-framework\n- **NIST AI 600-1 \u2014 Generative AI Profile.** https://doi.org/10.6028/NIST.AI.600-1\n- **NIST AI 100-2e2025 \u2014 Adversarial ML: Taxonomy & Mitigations.** https://csrc.nist.gov/pubs/ai/100/2/e2025/final\n- **NIST SP 800-63B \u2014 Digital Identity / Authentication.** https://pages.nist.gov/800-63-3/sp800-63b.html\n- **MCP \u2014 Security Best Practices.** https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices\n- **SLSA \u2014 Supply-chain Levels for Software Artifacts.** https://slsa.dev/spec/v1.0/\n- **Sigstore \u2014 signing & verification.** https://docs.sigstore.dev/\n- **C2PA \u2014 content provenance specs.** https://c2pa.org/specifications/specifications/2.2/index.html\n- **CISA \u2014 Avoiding Social Engineering & Phishing.** https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks\n- **FCC \u2014 AI-generated voices in robocalls are illegal.** https://www.fcc.gov/document/fcc-makes-ai-generated-voices-robocalls-illegal\n\n### Vendor & practitioner guidance\n- **Microsoft \u2014 Defend against indirect prompt injection.** https://learn.microsoft.com/en-us/security/zero-trust/sfi/defend-indirect-prompt-injection\n- **Microsoft \u2014 Prompt Shields / jailbreak detection.** https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/jailbreak-detection\n- **Microsoft \u2014 Azure AI Content Safety overview.** https://learn.microsoft.com/en-us/azure/ai-services/content-safety/overview\n- **Microsoft \u2014 Mitigating Skeleton Key jailbreaks.** https://www.microsoft.com/en-us/security/blog/2024/06/26/mitigating-skeleton-key-a-new-type-of-generative-ai-jailbreak-technique/\n- **Microsoft \u2014 Open automation framework to red-team GenAI (PyRIT).** https://www.microsoft.com/en-us/security/blog/2024/02/22/announcing-microsofts-open-automation-framework-to-red-team-generative-ai-systems/\n- **Microsoft/OpenAI \u2014 Staying ahead of threat actors in the age of AI.** https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\n- **Microsoft \u2014 Disrupting a global cybercrime network abusing GenAI.** https://blogs.microsoft.com/on-the-issues/2025/02/27/disrupting-cybercrime-abusing-gen-ai/\n- **MSRC \u2014 CVE-2025-32711 (M365 Copilot indirect injection).** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711\n\n### Notable incidents (talk anchors)\n- **Arup $25M deepfake video call (CNN, 2024).** https://www.cnn.com/2024/05/16/tech/arup-deepfake-scam-loss-hong-kong-intl-hnk/index.html\n- **Finance worker pays $25M after deepfake \"CFO\" call (FT, 2024).** https://www.ft.com/content/6108c15d-948e-4d3e-8a64-6b4b6c9e7b5e\n- **How Ferrari hit the brakes on a deepfake CEO (MIT SMR, 2025).** https://sloanreview.mit.edu/article/how-ferrari-hit-the-brakes-on-a-deepfake-ceo/\n- **Fraudsters mimic CEO's voice (WSJ, 2019).** https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402\n- **Bing Chat prompt-leak (CBC, 2023).** https://www.cbc.ca/news/science/bing-chatbot-ai-hack-1.6752490\n- **ShadowRay \u2014 exposed AI infra exploited (MITRE ATT&CK C0045).** https://attack.mitre.org/campaigns/C0045/\n\n> Full bibliography (157 deduped references across academic, vendor, government, news, and community sources): see `research/REFERENCES.md` in the corpus.\n\n---\n\n*Handout generated for the talk. Mitigations distilled from the 12 per-category defense briefs in the\nresearch corpus. Numbered categories match the slides and the project site's taxonomy.*\n", "creation_timestamp": "2026-05-31T20:52:14.000000Z"}]}