Foundry - ASCII smuggling / invisible-Unicode injection
Foundry Ascii Smuggling Injection
Query
AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
Prompt = tostring(Properties["gen_ai.input.messages"]),
SrcIp = tostring(column_ifexists("ClientIP", ""))
| where isnotempty(Prompt)
| extend
TagChars = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
ZeroWidth = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
| where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
| extend Signal = case(
TagChars > 0, "UnicodeTagSmuggling",
BidiOverride > 0, "BidiOverride",
"ZeroWidthObfuscation")
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
TimeGenerated, Signal, AccountName, Agent, Model, ProjectId, ConvId,
TagChars, ZeroWidth, BidiOverride,
Prompt = substring(Prompt, 0, 1024), SrcIp
| order by TimeGenerated descExplanation
This query is designed to detect potential security threats related to ASCII smuggling or invisible Unicode injection attacks in a system using Foundry or Agent Service. Here's a simplified breakdown of what the query does:
-
Purpose: The query raises an alert if it detects hidden or non-visible Unicode characters in the input messages of a system, which could indicate an attempt to smuggle ASCII instructions or inject hidden commands.
-
Data Source: It analyzes data from the
AppDependenciestable, specifically looking at thegen_ai.input.messagesproperty. This data is only available if content recording is enabled. -
Detection Criteria:
- It checks for the presence of:
- Unicode Tag characters (U+E0000-U+E007F) used for encoding hidden instructions.
- Zero-width characters (U+200B-U+200D, U+FEFF, U+2060) that are invisible in text.
- Bidirectional override characters (U+202A-U+202E, U+2066-U+2069) that can alter text direction.
- An alert is triggered if any Tag characters are found, if there are three or more zero-width characters, or if any bidirectional override characters are present.
- It checks for the presence of:
-
Alert Details:
- The alert includes information such as the time of detection, type of signal (e.g., UnicodeTagSmuggling, BidiOverride, ZeroWidthObfuscation), account name, agent, model, project ID, conversation ID, and a snippet of the prompt text.
-
Severity and Tactics:
- The severity of the alert is set to "Medium".
- The tactics associated with this detection are "Defense Evasion" and "Initial Access", with relevant techniques being T1027 (Obfuscated Files or Information) and T1566 (Phishing).
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents are grouped by account and can be reopened if new related alerts are detected within a 6-hour lookback period.
-
Configuration:
- The query runs every hour and checks data from the past hour.
- It is enabled by default and is part of a scheduled detection rule.
Overall, this query helps in identifying and responding to potential security threats involving hidden instructions or obfuscation techniques in system inputs.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: PT1H