← Back to Library

LLMail-Inject: A Dataset from a Realistic Adaptive Prompt Injection Challenge

Authors: Sahar Abdelnabi, Aideen Fay, Ahmed Salem, Egor Zverev, Kai-Chieh Liao, Chi-Huang Liu, Chun-Chih Kuo, Jannis Weigend, Danyael Manlangit, Alex Apostolov, Haris Umair, João Donato, Masayuki Kawakita, Athar Mahboob, Tran Huu Bach, Tsun-Han Chiang, Myeongjin Cho, Hajin Choi, Byeonghyeon Kim, Hyeonjin Lee, Benjamin Pannell, Conor McCauley, Mark Russinovich, Andrew Paverd, Giovanni Cherubin

Published: 2025-06-11

arXiv ID: 2506.09956v1

Added to Library: 2025-11-11 14:14 UTC

Red Teaming

📄 Abstract

Indirect Prompt Injection attacks exploit the inherent limitation of Large Language Models (LLMs) to distinguish between instructions and data in their inputs. Despite numerous defense proposals, the systematic evaluation against adaptive adversaries remains limited, even when successful attacks can have wide security and privacy implications, and many real-world LLM-based applications remain vulnerable. We present the results of LLMail-Inject, a public challenge simulating a realistic scenario in which participants adaptively attempted to inject malicious instructions into emails in order to trigger unauthorized tool calls in an LLM-based email assistant. The challenge spanned multiple defense strategies, LLM architectures, and retrieval configurations, resulting in a dataset of 208,095 unique attack submissions from 839 participants. We release the challenge code, the full dataset of submissions, and our analysis demonstrating how this data can provide new insights into the instruction-data separation problem. We hope this will serve as a foundation for future research towards practical structural solutions to prompt injection.

🔍 Key Points

  • Introduction of the LLMail-Inject challenge, highlighting the complexities of indirect prompt injection attacks and the need for realistic evaluation of defenses against such attacks.
  • Creation of a comprehensive dataset with over 208,095 submissions from 839 participants, providing a valuable resource for studying adaptive prompt injection strategies.
  • Analysis showing the effectiveness of different defenses against adaptive prompt injection attacks, with insights on their performance metrics and failure cases.
  • Identification of novel strategies used by participants to successfully execute attacks, emphasizing the role of special tokens and email structuring in bypassing defenses.
  • Potential real-world implications of the findings for securing LLM-based applications against sophisticated injection attacks, providing a roadmap for future research on these vulnerabilities.

💡 Why This Paper Matters

The paper is significant as it addresses a pressing concern in AI security regarding the vulnerabilities of large language models to indirect prompt injection attacks. By organizing a challenge that simulates realistic attack scenarios and by providing an extensive dataset for analysis, the authors set a foundation for further exploration and enhancement of security measures around AI applications.

🎯 Why It's Interesting for AI Security Researchers

This paper is crucial for AI security researchers as it not only unveils the vulnerabilities present in current LLM architectures but also provides empirical data for testing and developing more robust defenses. The insights gained from the challenge's results and strategies employed by participants enhance the understanding of adaptivity in prompt injection attacks, thereby informing the design of future AI systems that can better resist such threats.

📚 Read the Full Paper

📄 View on arXiv