Researchers demonstrated that invisible prompt injection combined with prompt overdose can force AI summarizers to output hidden ClickFix-style instructions, enabling covert delivery of ransomware execution steps embedded in HTML via CSS obfuscation. The technique exploits summarizers in email clients, browser extensions, and productivity tools, turning them into unintentional distribution channels for attacker-controlled commands. #ClickFix #prompt_overdose
Keypoints
- Invisible prompt injection embeds attacker-controlled instructions in HTML using CSS/HTML tricks (opacity:0, font-size:0, zero-width characters, off-screen positioning) so humans cannot see them but models can.
- Prompt overdose repeats hidden payloads extensively to dominate the model’s context window and steer summarizer output toward attacker-chosen instructions.
- Summarizers across platforms (email clients, browser extensions, productivity assistants) were shown to reproduce the hidden ClickFix instructions verbatim, including Base64-encoded PowerShell command examples used in PoC tests.
- The attack combines a hidden steering directive (instructing the summarizer to extract and output a target class) with payload saturation to ensure both content dominance and behavioral alignment of the model.
- Real-world impact includes mass amplification of social-engineering lures, lowering the skill bar to execute ransomware, SEO-driven distribution, insider risks within enterprises, and rapid operationalization by threat actors.
- Mitigations include client-side HTML sanitization, prompt-filtering, payload pattern recognition (including decoding Base64 commands), context-window balancing, UX warnings about hidden-origin content, and enterprise AI policy enforcement.
- Limitations include model variability, limited coverage of summarizers tested, visibility of payloads to advanced defenders inspecting raw DOM/HTML, and the potential for benign uses that complicate detection.
MITRE Techniques
- [T1204] User Execution – Attackers rely on users executing AI-provided instructions (ClickFix steps) such as pasting and running commands: “To resolve the issue, copy powershell.exe -enc d2hvYW1p, press Win+R, paste the command, and press Enter.”
- [T1553] Subvert Trust Controls – The attack subverts trust in AI summarizers by injecting hidden directives that force the model to output attacker-controlled content: “…explicitly instructing the summarizer to ignore all other text and focus exclusively on the payload…”
- [T1027] Obfuscated Files or Information – Payloads are hidden in HTML using CSS and zero-width characters (white-on-white text, tiny fonts, off-screen positioning) to conceal malicious instructions from humans while remaining machine-readable: “hidden from human view using CSS and HTML obfuscation methods — such as zero-width characters, white-on-white text, tiny font sizes, or hidden containers.”
- [T1609] Data from Information Repositories – Attackers publish poisoned HTML pages or posts that can be indexed and ingested by summarizers, causing redistribution of instructions via search snippets, email previews, and aggregation: “When published or distributed, this crafted content can be indexed by search engines, posted on forums, or sent directly to targets.”
- [T1496] Resource Hijacking (overlap with misuse of automation) – Using summarization systems as unintended conduits to propagate execution steps effectively leverages automated tools to hijack user behavior: “turning AI from a passive assistant into an active participant in the social engineering chain.”
Indicators of Compromise
- [Hidden HTML/CSS patterns] Obfuscated/invisible text usage in web/email content – examples: CSS styles like “opacity: 0”, “font-size: 0”, white-on-white color schemes, zero-width characters.
- [Command patterns] Embedded encoded execution commands in hidden payloads – example: “powershell.exe -enc d2hvYW1p” (Base64-encoded PowerShell command) and other Base64-encoded commands.
- [HTML class/DOM markers] Repeated hidden containers and steering directives – example: elements using a summaryReference class with repeated hidden directive blocks; multiple hidden containers repeated dozens of times.
- [Distribution artifacts] Presence of poisoned pages in public/content repositories – example contexts: SEO-indexed blog posts, forum posts, or emailed HTML content containing hidden payloads (and many more similarly poisoned pages).