Search Victim-Owned Websites - AI Security Technique

Record summary

A quick snapshot of what this page covers.

Tactics1Attacker goals connected to this method.

Mitigations1Defenses that may help against this attack.

AI risks0Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details about their AI-enabled products or services. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.

Adversaries may search victim-owned websites to gather actionable information. This information may help adversaries tailor their attacks (e.g. Adversarial AI Attacks or Manual Modification). Information from these sources may reveal opportunities for other forms of reconnaissance (e.g. Search Open Technical Databases or Search Open AI Vulnerability Analysis)

ATLAS ID: AML.T0003
ATT&CK external ID: T1594
Priority score: 43

Maturity: demonstrated

Reconnaissance

Mitigations

Defenses that may help against this attack.

AML.M0000 - Limit Public Release of Information

Business and Data Understanding

LifecycleBusiness and Data UnderstandingCategoryPolicy

Restrict release of technical information on ML-enabled products and organizational information on the teams supporting ML-enabled products.

Case studies

Examples from public reports and exercises.

Living Off AI: Prompt Injection via Jira Service Management

exercise

Date2025-06-19

Researchers from Cato Networks demonstrated how adversaries can exploit AI-powered systems embedded in enterprise workflows to execute malicious actions with elevated privileges. This is achieved by crafting malicious inputs from external users such as support tickets that are later processed by internal users or automated systems using AI agents. These AI agents, operating with internal context and trust, may interpret and execute the malicious instructions, leading to unauthorized actions such as data exfiltration, privilege escalation, or system manipulation.

Confusing Antimalware Neural Networks

exercise

Date2021-06-23

Cloud storage and computations have become popular platforms for deploying ML malware detectors. In such cases, the features for models are built on users' systems and then sent to cybersecurity company servers. The Kaspersky ML research team explored this gray-box scenario and showed that feature knowledge is enough for an adversarial attack on ML models.

They attacked one of Kaspersky's antimalware ML models without white-box access to it and successfully evaded detection for most of the adversarially modified malware files.

Related risks

Research-backed risks connected to this topic.

No related AI risks. No research risk is connected to this topic in the current data.

Related CVEs

Known software flaws linked to this context.

No related CVEs. No software flaw is connected to this attack in the current data.

Source

Where this page information comes from.

Original source

Original source links

Open the public records and source datasets used for this page.

Repositoryhttps://github.com/mitre-atlas/atlas-data ATLAS.yamlhttps://github.com/mitre-atlas/atlas-data/blob/main/dist/ATLAS.yaml Schemahttps://github.com/mitre-atlas/atlas-data/blob/main/dist/schemas/atlas_output_schema.json MITRE ATT&CK mappinghttps://attack.mitre.org/techniques/T1594/