Could a five-dollar domain hand a stranger the keys to your company’s customer records? In late September 2025, security researchers demonstrated just that: by buying an expired domain for roughly US$5, they performed a prompt injection attack against Salesforce’s Agentforce AI-assisted workflow product. Although Salesforce has since patched the specific configuration that made the attack possible, the incident is a powerful reminder that the expanding complexity of AI systems multiplies everyday attack surfaces — and that mundane failures in trust management can lead to serious data exposure.
Prompt injection exploited via a cheap domain
Prompt injection is the practice of crafting inputs to an AI system that change its intended behavior — often to cause the model to reveal data, ignore safeguards, or perform unauthorized actions. In the published proof-of-concept, researchers found an expired subdomain that Agentforce treated as a trusted content source. By re-registering that domain and hosting carefully designed content, they were able to manipulate Agentforce’s prompt pipeline and coax it into disclosing customer data. Crucially, the attack did not rely on a traditional software bug or cryptographic break; it exploited normal agent behavior: fetching and integrating content from an assumed-trusted origin.
Salesforce’s remediation involved tightening the configuration that accepted the expired domain and deploying other mitigations. Public reporting indicates the vendor responded after responsible disclosure and patched the issue. There are no public reports that customer data was harvested in the wild through this precise technique. Still, the scenario illustrates how “trust of origin” assumptions embedded in AI workflows can become single points of failure.
Why the threat matters
Operational trust is brittle. Organizations routinely add domains, APIs, and third-party services to allowlist or trust lists and then seldom revisit those relationships. Domain registration lapses, third-party takeover, or content manipulation can turn a benign trust relationship into an exploit path. An attacker doesn’t need to crack encryption or exploit memory corruption when re-registering an expired domain will do the job.
AI agents amplify the risk. Modern agents compose internal data, system prompts, and external content to produce outputs. That composability increases the likelihood that one compromised input will be amplified within the agent’s reasoning chain and lead to a data leak. As more enterprise workflows depend on agents to access sensitive records and make decisions, the consequences of a single poisoned input grow.
Remediation must be both technical and organizational. Fixing a single configuration is necessary, but insufficient. Organizations need continuous telemetry and domain monitoring, rigorous supply-chain hygiene for the external resources agents consume, and runtime protections to detect abnormal prompt behavior.
Practical mitigations that reduce prompt injection risk
– Continuous ownership checks and monitoring: Maintain an inventory of trusted domains, subdomains, and endpoints. Use automated checks to detect ownership changes, expired certificates, or suspicious DNS updates.
– Runtime prompt sanitization: Filter and sanitize external content before it enters the agent’s prompt pipeline. Detect and neutralize directives or patterns that resemble instructions designed to override safeguards.
– Layered attestation: Require multiple attestations or proofs of origin before ingesting external content into sensitive workflows. Don’t rely on a single allowlist entry as the final arbiter of trust.
– Output anomaly detection: Monitor what AI agents disclose. Alert on atypical disclosures, bulk exfiltration patterns, or unexpected references to sensitive datasets.
– Least privilege for agent access: Limit the categories of data an assistant can access. Use role-based controls and context-limited tokens when agents must fetch external resources.
– Regular threat modeling and audits: Treat domain ownership change as a credible threat during threat-modeling exercises. Include trust-of-origin scenarios in security reviews.
Different stakeholders must adapt
For technologists, the case underlines the need for continuous validation in trust chains: certificate checks, allowlists that include active ownership verification, and runtime guards that flag abnormal prompt instructions. Product managers and security architects should bake in threat models that assume adversaries can and will flip trusted domains. Policymakers and regulators face questions about who is responsible when a change in a third-party resource enables leakage; existing data-protection rules focus on access controls and encryption but rarely address embedded trust assumptions in AI workflows. Extending software supply-chain practices — like SBOMs and dependency scanning — to include “trust-of-origin” monitoring for AI agents is a logical next step.
Users and customers deserve transparency. Enterprises deploying AI assistants should clearly state what categories of data an assistant can access, how external content is vetted, and what detection mechanisms are in place for anomalous outputs. That transparency builds trust; silence breeds suspicion.
The economics and ethics of independent research
Re-registering an expired domain is cheap and plausible, making it an attractive tactic for attackers and researchers alike. This low-cost vector highlights the disproportionate return an adversary can achieve for minimal investment. At the same time, the episode underscores the value of independent security research and responsible disclosure. Coordinated reporting and patching — as happened here — are central to improving cyber resilience against emergent AI behaviors.
Conclusion: Prompt injection remains a live risk
Salesforce’s patch removed one concrete avenue of attack, but it does not eliminate the broader class of prompt injection risks that arise whenever AI agents federate content from external sources. As enterprises integrate agents into customer service, CRM workflows, and decision support, they must reconcile the convenience of external content ingestion with the hard work of securing trust boundaries. Building systems that expect an adversarial world — rather than assuming stability — is essential. The five-dollar domain was a low-cost test with a high-value lesson: defending customer data will require ongoing vigilance, layered defenses, and organizational practices that treat prompt injection as a realistic and present threat.




