T1-AT-001HIGH
Dialogue Hijacking
T1 · Prompt & Context Subversion →Risk score220
RatingHigh
Procedures5
Severity
Mechanism
Exploits the model's inability to verify conversational history. When a user claims a prior exchange occurred, the model has no mechanism to check session state against actual conversation logs — each session starts stateless. " This is architecturally distinct from other T1 techniques because the attack vector is the model's trust in the user's representation of past state, not the current instruction.
Detection
- Pattern match for conversation-continuation claims without matching session history: "continue from," "as we discussed," "you were explaining," "resuming from"
- Cross-reference with actual session state — if the session is new or the claimed topic doesn't appear in history, flag as fabrication
- Sigma rule: sigma/t01-dialogue-hijack.yml (if exists)
Mitigation
Session state verification (compare claims against actual history)HIGH
Constitutional Classifiers (Anthropic)HIGH
Stateless session design (no persistent memory)MEDIUM
Chaining
Successful dialogue hijacking establishes false conversational precedent. Chains to T1-AT-012 (Consent Manufacturing) — once the model "believes" it already agreed, subsequent requests can reference that fabricated consent.
Framework mapping
Open in the technique browser →OWASP LLMLLM01
MITRE ATLASAML.T0051