PROMPT injection via email is a newly emerging risk where malicious or manipulative instructions are hidden in content AI systems will process, such as emails, documents and chat histories. Darktrace notes a 90% increase in signals of potential prompt injection across customer deployments since monitoring began in late 2025, with high‑confidence matches from internal scoring.
Early examples include HashJack, a November 2025 technique that hides instructions in a URL fragment to trick AI web assistants, and ShadowLeak, a September 2025 method that exfiltrates PII via an email‑connected agent. The risks include data exfiltration and agentic workflow poisoning, where instructions persist across interactions or direct AI to include malicious links, effectively placing the attacker inside the workflow.
Detection hinges on contextual analysis, such as prompt density scoring and obfuscated prompts, rather than traditional signals like links or attachments; Darktrace also highlights that a single IP (103.177.110[.]202) can be used for spreading, payload delivery and C2 in this botnet example, underscoring the need for behavioural monitoring.
According to NIST, vulnerability disclosures have risen, but patch velocity alone is not a sufficient defence, so organisations should question their email security providers about safeguards that prevent emails from influencing AI‑driven workflows and how benign content with hidden prompts is assessed. 1 May 2026