Query Details

Foundry - ASCII smuggling / invisible-Unicode injection

Foundry Ascii Smuggling Injection

Query

AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
    Agent     = tostring(Properties["gen_ai.agent.name"]),
    Model     = tostring(Properties["gen_ai.request.model"]),
    ConvId    = tostring(Properties["gen_ai.conversation.id"]),
    ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
    Prompt    = tostring(Properties["gen_ai.input.messages"]),
    SrcIp     = tostring(column_ifexists("ClientIP", ""))
| where isnotempty(Prompt)
| extend
    TagChars     = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Prompt)),
    ZeroWidth    = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Prompt)),
    BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Prompt))
| where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0
| extend Signal = case(
    TagChars > 0,     "UnicodeTagSmuggling",
    BidiOverride > 0, "BidiOverride",
    "ZeroWidthObfuscation")
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
    TimeGenerated, Signal, AccountName, Agent, Model, ProjectId, ConvId,
    TagChars, ZeroWidth, BidiOverride,
    Prompt = substring(Prompt, 0, 1024), SrcIp
| order by TimeGenerated desc

Explanation

This query is designed to detect potential security threats related to ASCII smuggling or invisible Unicode injection attacks in a system using Foundry or Agent Service. Here's a simplified breakdown of what the query does:

  1. Purpose: The query raises an alert if it detects hidden or non-visible Unicode characters in the input messages of a system, which could indicate an attempt to smuggle ASCII instructions or inject hidden commands.

  2. Data Source: It analyzes data from the AppDependencies table, specifically looking at the gen_ai.input.messages property. This data is only available if content recording is enabled.

  3. Detection Criteria:

    • It checks for the presence of:
      • Unicode Tag characters (U+E0000-U+E007F) used for encoding hidden instructions.
      • Zero-width characters (U+200B-U+200D, U+FEFF, U+2060) that are invisible in text.
      • Bidirectional override characters (U+202A-U+202E, U+2066-U+2069) that can alter text direction.
    • An alert is triggered if any Tag characters are found, if there are three or more zero-width characters, or if any bidirectional override characters are present.
  4. Alert Details:

    • The alert includes information such as the time of detection, type of signal (e.g., UnicodeTagSmuggling, BidiOverride, ZeroWidthObfuscation), account name, agent, model, project ID, conversation ID, and a snippet of the prompt text.
  5. Severity and Tactics:

    • The severity of the alert is set to "Medium".
    • The tactics associated with this detection are "Defense Evasion" and "Initial Access", with relevant techniques being T1027 (Obfuscated Files or Information) and T1566 (Phishing).
  6. Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents are grouped by account and can be reopened if new related alerts are detected within a 6-hour lookback period.
  7. Configuration:

    • The query runs every hour and checks data from the past hour.
    • It is enabled by default and is part of a scheduled detection rule.

Overall, this query helps in identifying and responding to potential security threats involving hidden instructions or obfuscation techniques in system inputs.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelConvIdProjectIdPromptSrcIpTimeGeneratedSignalAccountNameCloudApplicationAccountName

Operators

isnotemptytostringcolumn_ifexistsarray_lengthextract_allcaseiffisemptysubstringprojectorder by

Severity

Medium

Tactics

DefenseEvasionInitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub