KQL Search

Query Details

Foundry Ascii Smuggling Injection

Query

id: 5f607182-1414-4313-9213-0123456789e3
name: Foundry - ASCII smuggling / invisible-Unicode injection
description: |
  Raises an incident when Foundry / Agent Service input contains invisible
  / non-rendering Unicode that is the hallmark of an ASCII smuggling or
  hidden-instruction attack: characters from the Unicode Tags block
  (U+E0000-U+E007F, used to encode hidden ASCII instructions), zero-width
  characters (U+200B-U+200D, U+FEFF, U+2060), or bidirectional overrides
  (U+202A-U+202E, U+2066-U+2069). These let an attacker pass instructions
  the user cannot see, to bypass guardrails or smuggle indirect prompt
  injection through copied content.

  Reads gen_ai.input.messages from the AppDependencies span property bag
  (Properties). The prompt text only exists when
  AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED is set, so without
  content recording this rule will not fire.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- DefenseEvasion
- InitialAccess
relevantTechniques:
- T1027
- T1566
query: |
  AppDependencies
  | where isnotempty(Properties["gen_ai.input.messages"])
  | extend
      Agent     = tostring(Properties["gen_ai.agent.name"]),
      Model     = tostring(Properties["gen_ai.request.model"]),
      ConvId    = tostring(Properties["gen_ai.conversation.id"]),
      ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
      Prompt    = tostring(Properties["gen_ai.input.messages"]),
      SrcIp     = tostring(column_ifexists("ClientIP", ""))
  | where isnotempty(Prompt)
  | extend
      TagChars     = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
      ZeroWidth    = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
      BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
  | where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
  | extend Signal = case(
      TagChars > 0,     "UnicodeTagSmuggling",
      BidiOverride > 0, "BidiOverride",
      "ZeroWidthObfuscation")
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | project
      TimeGenerated, Signal, AccountName, Agent, Model, ProjectId, ConvId,
      TagChars, ZeroWidth, BidiOverride,
      Prompt = substring(Prompt, 0, 1024), SrcIp
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- AsciiSmuggling
- IndirectInjection
- OWASP-LLM01

Explanation

This query is designed to detect potential security threats related to ASCII smuggling or invisible Unicode injection attacks in a system using Foundry or Agent Service. Here's a simplified breakdown of what the query does:

  1. Purpose: The query raises an alert if it detects hidden or non-visible Unicode characters in the input messages of a system, which could indicate an attempt to smuggle ASCII instructions or inject hidden commands.

  2. Data Source: It analyzes data from the AppDependencies table, specifically looking at the gen_ai.input.messages property. This data is only available if content recording is enabled.

  3. Detection Criteria:

    • It checks for the presence of:
      • Unicode Tag characters (U+E0000-U+E007F) used for encoding hidden instructions.
      • Zero-width characters (U+200B-U+200D, U+FEFF, U+2060) that are invisible in text.
      • Bidirectional override characters (U+202A-U+202E, U+2066-U+2069) that can alter text direction.
    • An alert is triggered if any Tag characters are found, if there are three or more zero-width characters, or if any bidirectional override characters are present.

  4. Alert Details:

    • The alert includes information such as the time of detection, type of signal (e.g., UnicodeTagSmuggling, BidiOverride, ZeroWidthObfuscation), account name, agent, model, project ID, conversation ID, and a snippet of the prompt text.

  5. Severity and Tactics:

    • The severity of the alert is set to "Medium".
    • The tactics associated with this detection are "Defense Evasion" and "Initial Access", with relevant techniques being T1027 (Obfuscated Files or Information) and T1566 (Phishing).

  6. Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents are grouped by account and can be reopened if new related alerts are detected within a 6-hour lookback period.

  7. Configuration:

    • The query runs every hour and checks data from the past hour.
    • It is enabled by default and is part of a scheduled detection rule.

Overall, this query helps in identifying and responding to potential security threats involving hidden instructions or obfuscation techniques in system inputs.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelConvIdProjectIdPromptSrcIpTimeGeneratedSignalAccountNameCloudApplicationAccountName

Operators

isnotemptytostringcolumn_ifexistsarray_lengthextract_allcaseiffisemptysubstringprojectorder by

Actions