Query Details

Foundry - Computer-Use Agent visual prompt-injection

Foundry Cua Visual Attack

Query

let injectionMarkers = dynamic([
    "ignore previous instructions","disregard previous","you are now",
    "developer mode","do anything now","reveal your system prompt",
    "ignore the user","execute the following","run this command",
    "send the data to","upload to","download from","navigate to",
    "click this link","follow this link","copy and paste this",
    "type the following","press enter to","authorise the transaction"
]);
AppDependencies
| where TimeGenerated > ago(1h)
| extend
    Agent      = tostring(Properties["gen_ai.agent.name"]),
    Model      = tostring(Properties["gen_ai.request.model"]),
    ConvId     = tostring(Properties["gen_ai.conversation.id"]),
    ProjectId  = tostring(Properties["microsoft.foundry.project.id"]),
    ToolType   = tolower(tostring(Properties["gen_ai.tool.type"])),
    ToolName   = tolower(tostring(Properties["gen_ai.tool.name"])),
    Observation = tostring(coalesce(
                    Properties["gen_ai.computer_use.observation"],
                    Properties["gen_ai.computer_use.screenshot.text"],
                    Properties["microsoft.agent.computer_use.observation"],
                    Properties["gen_ai.tool.call.result"], ""))
| where ToolType has_any ("computer_use","computer-use","browser","desktop","ui","screen")
     or ToolName has_any ("computer_use","screenshot","mouse","keyboard","navigate","click","type_text","screen_capture","browser_use")
| where isnotempty(Observation)
| extend ObsLower = tolower(Observation)
| extend
    TagChars     = array_length(extract_all(@"([\x{E0000}-\x{E007F}])", Observation)),
    ZeroWidth    = array_length(extract_all(@"([\x{200B}-\x{200D}\x{FEFF}\x{2060}])", Observation)),
    BidiOverride = array_length(extract_all(@"([\x{202A}-\x{202E}\x{2066}-\x{2069}])", Observation)),
    HasInjection = ObsLower has_any (injectionMarkers)
| where TagChars > 0 or ZeroWidth >= 3 or BidiOverride > 0 or HasInjection
| extend Signal = case(
    TagChars > 0,     "UnicodeTagInScreenContent",
    BidiOverride > 0, "BidiOverrideInScreenContent",
    HasInjection,     "InstructionInScreenContent",
                      "ZeroWidthInScreenContent")
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project TimeGenerated, Signal, AccountName, Agent, Model, ProjectId, ConvId,
          ToolType, ToolName, TagChars, ZeroWidth, BidiOverride, HasInjection,
          ObservationSample = substring(Observation, 0, 512)
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of attack on computer-use agents, where visual content that seems harmless to humans actually contains hidden instructions meant to manipulate the agent. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies attempts to trick computer-use agents by embedding hidden commands in visual content. These commands are not visible to humans but can be interpreted by the agent.

  2. Detection Patterns: The query looks for specific patterns in the content processed by the agent, such as:

    • Hidden text using Unicode characters that are not typically visible (e.g., Unicode Tag block, zero-width characters).
    • Text direction manipulation using bidirectional override characters.
    • Explicit prompt-injection markers, which are phrases that could instruct the agent to perform certain actions.
  3. Data Source: It analyzes data from Application Insights, specifically focusing on application dependencies that involve computer-use tools like browsers, screen captures, and user interface interactions.

  4. Filtering Criteria: The query filters for recent data (within the last hour) and checks if the content includes any of the suspicious patterns mentioned above.

  5. Alert Generation: If any of these patterns are detected, it generates an alert with details such as the time, type of signal detected, and a sample of the suspicious content.

  6. Severity and Response: The severity of these alerts is classified as high, and incidents are created for further investigation. The query is designed to run every hour and will trigger an alert if any suspicious activity is detected.

  7. Entity Mapping and Incident Grouping: The query maps detected incidents to specific accounts and cloud applications, and it groups related alerts to manage incidents efficiently.

Overall, this query is part of a security measure to protect AI systems from being manipulated through visual content that contains hidden adversarial instructions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesComputerUseBrowserDesktopUIScreenMouseKeyboardNavigateClickTypeTextScreenCaptureBrowserUseAccountCloudApplicationModelProjectIdConvIdAgentSignalUnicodeTagInScreenContentBidiOverrideInScreenContentInstructionInScreenContentZeroWidthInScreenContentSentinelAsCodeCustomFoundryAIVisualInjectionAIRTv2

Operators

letdynamicwhereextendtostringtolowercoalescehas_anyisnotemptyarray_lengthextract_allcaseiffisemptyprojectsubstringorder by

Severity

High

Tactics

InitialAccessDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub