The attack exploits desynchronization between the DOM/HTML source and the final visual rendering in the browser using custom fonts with glyph substitution.
An LLM analyzes the page's raw HTML and interprets it as benign, while the user is presented with a malicious command (for example, a reverse shell).
As a result, the attacker bypasses LLM-based content filtering by combining font-level obfuscation with classic social engineering.

📎 Article: https://layerxsecurity.com/blog/poisoned-typeface-a-simple-font-rendering-poisons-every-ai-assistant-and-only-microsoft-cares/

💬 Discuss

Font glyph substitution attack: bypassing malicious command validation by AI assistants