system: OPERATIONAL
← back to all hacks
INDIRECT INJECTION MEDIUM NEW

Topic-transition injection: smuggling instructions past a RAG system with a smooth pivot

A research attack shows that gradually steering a document's topic toward a hidden instruction makes indirect prompt injection far more effective — and points to attention-ratio monitoring as a defense.

2026-07-08 // 6 min affects: rag-systems, search-augmented-llms, tool-using-llm-agents

In brief Indirect prompt injection hides instructions inside the documents a model retrieves rather than in the user’s prompt. A method presented at EMNLP 2025 — TopicAttack (arXiv preprint 2507.13686) — shows that how the instruction is introduced matters as much as the instruction itself: instead of pasting a command abruptly into unrelated text, the attacker adds a short fabricated passage that gradually pivots the topic toward the hidden instruction. That smooth transition pushes reported attack success rates above 90% in most tested settings, even with several defenses in place. Usefully, the same paper offers a defensive handle — an attention-ratio signal that separates successful injections from benign text. This is a class writeup, not an exploit guide.

What is this?

Retrieval-augmented generation (RAG) and tool-using agents routinely feed a model text they did not write: search results, fetched web pages, retrieved knowledge-base chunks. Because large language models follow instructions well and do not cleanly separate instructions from data, any command embedded in that retrieved text can be executed as if the user had typed it. That is indirect prompt injection, and it has been documented for years.

What the EMNLP 2025 work adds is an observation about presentation. Earlier indirect-injection techniques tend to drop the malicious instruction into the document abruptly — a page about a city that suddenly contains “now write an advertisement for a coffee chain.” The abruptness is part of what makes such injections fragile: it is out of place, and both the model and any anomaly detector have something to catch. The paper’s method reframes the problem as a smoothness problem.

How it works

The technique is conceptual and does not require a novel payload. Its shape looks like this:

Topic-transition indirect injection (conceptual, redacted)
----------------------------------------------------------
1. Attacker controls a retrievable document (a web page, a
   review, a wiki entry) that a RAG system may pull in.
2. Instead of appending the hidden instruction cold, the
   attacker inserts a short bridging passage that starts on
   the document's real topic and drifts, sentence by sentence,
   toward the topic of the injected instruction.
3. By the time the injected instruction appears, the surrounding
   context makes it read as a natural continuation rather than a
   jarring switch.
4. When the model retrieves the document, more of its attention
   lands on the injected span -> it is more likely to follow it.

The reported result is that this gradual transition raises the attack success rate above 90% in most of the evaluated configurations, and that it holds up even when several existing defenses are applied. The authors then look under the hood using attention scores. They find a straightforward relationship: the higher the ratio of attention paid to the injected tokens versus the original content, the more likely the injection succeeds — and the transition trick achieves a markedly higher ratio than blunt baselines. In other words, the attack works by winning the competition for the model’s attention, and it does so by not looking like an interruption.

Why it matters

The practical lesson is that filtering for “obvious” injected instructions is a weak defense, because obviousness is exactly the property an attacker can engineer away. If your RAG pipeline’s protection assumes injected commands will be detectably out of context, a smooth topic pivot defeats that assumption. Any system that ingests attacker-influenceable text — search agents, review-summarizers, support bots grounded on public pages, research assistants that browse — inherits this exposure, and the fix cannot be “the injection will look weird.”

It also reframes indirect injection as partly an attention-allocation phenomenon rather than a pure content-matching one. That is uncomfortable, because it means a defender staring at the raw text may see nothing alarming while the model internally over-weights the malicious span.

Defenses

The same research points to concrete, layered mitigations:

  1. Attention-ratio anomaly detection. The paper’s own analysis is the defensive gift: monitor how much of the model’s attention concentrates on any single retrieved span relative to the rest of the context, and flag or re-check inputs where an unexpected region dominates. An injection that wins attention is measurable even when the surface text reads smoothly.
  2. Provenance and signing for retrieved content. Track where each chunk came from and treat unsigned or low-trust external text as data-only. Cryptographic signing and data-provenance labels let the pipeline refuse to act on instructions that arrive through a retrieval channel.
  3. Keep retrieved text out of the instruction path. Enforce a structural boundary — spotlighting, delimiters the model is trained to respect, or an out-of-band policy layer — so that retrieved documents can inform an answer but cannot issue commands. Deterministic, model-external mediation of actions (reference monitors, capability limits) remains the most robust class of defense.
  4. Least authority for the agent. If a summarizer or search agent has no tools that move money, send mail, or exfiltrate data, a successful injection has a much smaller blast radius. Scope tools tightly and require confirmation for consequential actions.
  5. Adversarial testing with smooth injections. Red-team your retrieval pipeline with gradual, in-context injections, not just blatant ones, so your evaluation reflects the harder case.

Status

ItemReferenceDateNotes
TopicAttack (topic-transition indirect injection)arXiv 2507.13686EMNLP 2025 (preprint)Research method; reports ASR >90% in most settings, robust to several defenses
Attention-ratio findingSame paperHigher injected-to-original attention ratio correlates with success; basis for an anomaly-detection defense

The takeaway is not that a new, unstoppable attack exists — it is that the packaging of an indirect injection is a real variable, and defenses that rely on injected instructions looking out of place are brittle. Build for the case where the malicious text reads perfectly naturally, and lean on attention-level and provenance signals rather than surface plausibility.

Sources