Prompt Injection Attacks Hit 90+ Enterprises in 2025

Enterprise AI systems are executing attacker commands

More than 90 organizations fell victim to prompt injection attacks during 2025, according to CrowdStrike's 2026 Global Threat Report. The attacks used carefully crafted prompts to generate commands that stole credentials and cryptocurrency—leading CrowdStrike to characterize prompts themselves as a new form of malware.

The same report documented an 89% year-over-year increase in AI-enabled adversary operations. Notably, 82% of intrusions involved no traditional malicious code, a shift that coincides with enterprises deploying AI agents and copilots with access to email systems, code repositories, payment platforms, and file shares.

Why it matters

As enterprises move beyond chatbots into autonomous agents that can read email, modify infrastructure, and execute code, the attack surface has fundamentally changed. Traditional security controls—input validation, signature detection, patch cycles—depend on separating trusted instructions from untrusted data. Language models process both through a single text channel, making that separation impossible. Organizations deploying AI agents without additional safeguards are effectively granting attackers a new execution environment that bypasses conventional defenses.

How the attacks work

Prompt injection remains the top vulnerability on the OWASP Top 10 for large language model applications, holding the LLM01 position across two consecutive editions. The core problem is straightforward: language models cannot reliably distinguish between instructions written by developers and text retrieved from external sources like webpages, emails, or documents.

Direct prompt injection occurs when users type instructions that override system prompts. Indirect prompt injection—the more dangerous variant—happens when attackers plant malicious instructions in content the model will later process on behalf of another user. The payload can hide in a Slack message, Confluence page, calendar invite, or uploaded file. The target user never sees the attack, and the agent executes the planted commands.

Two incidents illustrate the operational risk. In August 2024, PromptArmor disclosed that attackers with Slack workspace access could exfiltrate data from private channels by planting instructions in public channels or uploaded files. The following year, Aim Security revealed EchoLeak (CVE-2025-32711, CVSS 9.3), described as the industry's first zero-click prompt injection against a production system. A single crafted email could cause Microsoft 365 Copilot to retrieve internal files and forward them to attacker-controlled servers without any user interaction.

Vendor defenses show persistent gaps

OpenAI acknowledged in December 2025 that prompt injection, like social engineering, is unlikely to ever be fully solved. The company disclosed building an internal reinforcement-learning attacker to discover injection strategies before they appear in the wild.

Anthropic published measured success rates in its Claude Opus 4.6 system card. A graphical-interface agent succumbed to injection 17.8% of the time on a single attempt. Across 200 attempts, the success rate climbed to 78.6% without safeguards and 57.1% with published defenses active. Google separately reported that its most effective documented attack against Gemini deployments succeeded 53.6% of the time even after adversarial fine-tuning.

Gartner responded in December 2025 by advising CISOs to block all AI browsers, including ChatGPT Atlas and Perplexity Comet, citing indirect prompt injection and credential exposure risks. The UK National Cyber Security Centre and Germany's BSI issued parallel warnings. Meanwhile, Cyberhaven found that 27.7% of organizations already had at least one user with Atlas installed, and 65.3% of organizations lack any dedicated prompt injection defenses.

Controls that work live outside the model

Durable defenses require architectural changes rather than model improvements. Enterprises should limit each agent's authority to the minimum privilege set required for its function. Human approval gates should protect high-consequence actions: sending mail, executing code, completing payments, modifying access controls. Security teams can tag retrieval sources by sensitivity and exclude restricted content from RAG pipelines by default. Network teams can allowlist the specific domains agents are permitted to reach. Audit systems should log the complete reasoning trace of every consequential action.

The operating assumption for any enterprise deploying AI agents must be that the model will follow injected instructions some fraction of the time. The only reliable controls exist outside the model itself.

These details were first reported by Janakiram MSV in Forbes.