Indirect prompt injection hides malicious instructions inside content the model will later read — a web page your AI browsing agent visits, a resume your hiring-assistant summarizes, an email your AI reads on your behalf. In a widely-discussed 2023 disclosure, Stanford student Kevin Liu got Microsoft's Bing Chat ("Sydney") to reveal its confidential codename and internal rules simply by asking it to ignore prior instructions — a direct case, but researchers quickly showed the same class of exposure could be triggered indirectly, by planting instructions in a web page the assistant was asked to summarize, with no need to type anything suspicious into the chat box at all.
This is the injection class enterprises get burned by most, because it's invisible to the end user: a support agent asks a helpful AI assistant to "summarize this ticket," and the ticket itself contains a hidden instruction telling the assistant to exfiltrate account data in its reply. Nobody typed anything malicious — the poisoned document did the attacking.