How Microsoft defends against indirect prompt injection attacks

Source: Microsoft Security Response Center

Author: unknown

URL: https://msrc.microsoft.com/blog/2025/07/how-microsoft-defends-against-indirect-prompt-injection-attacks/

ONE SENTENCE SUMMARY:

Microsoft employs a defense-in-depth strategy against indirect prompt injection in LLMs, focusing on prevention, detection, and impact mitigation.

MAIN POINTS:

1. Indirect prompt injection targets LLMs by manipulating input data to misinterpret instructions.
2. Potential impacts include data exfiltration and unintended user actions.
3. Microsoft’s defense-in-depth approach includes probabilistic and deterministic measures.
4. Prevention strategies involve system prompts and Spotlighting to differentiate trusted/untrusted input.
5. Detection employs Microsoft Prompt Shields, integrated with Defender for Cloud.
6. Impact mitigation includes data governance and user consent workflows.
7. Advanced research contributes new mitigation techniques, like TaskTracker and FIDES.
8. Recent efforts involve open-sourcing datasets and running public challenges.
9. System design aims to limit security impacts even if prompt injections succeed.
10. Defense strategies are continually evolving with architectural changes and research initiatives.

TAKEAWAYS:

1. Defense-in-depth combines multiple strategies to combat prompt injection.
2. Prevention hinges on clear distinction between trusted and untrusted inputs.
3. Detection relies on continuous update and integration of safety tools.
4. Mitigation strategies ensure minimal impact even if injections occur.
5. Ongoing research and public challenges advance understanding and defenses.