Article Published: Apr 16, 2026

Salesforce 'ForcedLeak': Indirect Prompt Injection via Agentforce Web-to-Lead Forms

Noma Security showed that a Web-to-Lead form entry can embed a prompt that Agentforce later treats as instructions, exfiltrating CRM leads and PII to an expired-but-allowlisted domain the attackers re-registered. CVSS 9.4.

The lesson is that agent safety needs three separate layers — untrusted-input handling, authority scoping, and sink enforcement — and this chain broke because URL allowlist hygiene failed.

Prompt InjectionAgentic AIData ExfiltrationSaaS Security
6 applicable AIDEFEND defenses
Source: Salesforce AI Agents Forced to Leak Sensitive Data 
By Nate Nelson · Original article: Sep 25, 2025

Threat Analysis

  • Attack surface. A Salesforce Web-to-Lead form's Description field accepts user text. When a downstream Agentforce agent later processes the lead, it also follows any prompt embedded in that field — indirect prompt injection through a legitimate intake surface.
  • Weak context boundary. Noma first probed the agent with an unrelated prompt ("what's red + yellow?"). It answered "orange", proving the model would engage with instructions outside its sales domain instead of rejecting them.
  • Exfil path. Salesforce's CSP blocked arbitrary outbound domains, but its allowlist included my-salesforce-cms.com, whose registration had expired. Noma re-registered it, crafted a prompt that made the agent POST lead data there, and closed the exfil chain.
  • Severity. CVSS 9.4. Noma's CTO confirmed the compromised agent could also modify records, delete databases, and pivot to connected systems. Exfiltrated data includes pipeline, PII, conversation transcripts, and payment info.
  • Vendor response. Salesforce reclaimed the expired domain and tightened Trusted URLs to block untrusted-URL output. Structural fixes to how the model separates instruction from data remain in progress.

Applicable AIDEFEND Defenses (6)

AID-H-019.005
Value-Level Capability Metadata & Data Flow Sink Enforcement
Very High
Sink-level policy is what should have blocked exfil even after the injection landed. Trusted URLs is sink enforcement in spirit, but it needs to be bound to the sensitivity of the payload the agent is about to send, not only to a static domain allowlist.
AID-H-020.001
URL Normalization & Allowlist Filtering
Very High
The specific failure was an expired registration sitting on the allowlist, which an attacker could reclaim. URL allowlists need continuous hygiene: live registration checks, ownership verification, and a daily sweep of domains whose DNS no longer resolves to the intended vendor.
AID-D-003.002
Sensitive Information & Data Leakage Detection
High
ForcedLeak's impact is sensitive CRM data leaving through an agent response. Output scanning should catch PII, customer records, secrets, and unusually large record sets before they are rendered, logged, or sent to an external URL, even when that URL is allowlisted.
AID-H-002.002
Inference-Time Prompt & Input Validation
High
User-submitted form text that will later enter an agent's context must be validated at inference time — tag externally sourced text as untrusted data, strip or flag instruction-shaped content, and ensure the agent architecture does not execute directives drawn from the untrusted slot.
AID-M-009.002
Authority Envelope & Action Risk Classification
High
Bulk CRM export and record mutation are high-risk actions that should sit outside an intake-and-reply agent's normal envelope. A proper authority scope would require step-up approval for any outbound request that carries customer records, regardless of the destination URL.
AID-H-018.007
Dual-LLM Isolation Pattern
Medium
The structural fix is to split the LLM that parses untrusted content from the agent that calls tools, and to pass only a typed, schema-validated summary between them. ForcedLeak cannot chain if the tool-capable agent never sees the raw Description field.

What Defenders Should Do Now

  • Audit every place your SaaS AI agents ingest user-submitted content (web forms, uploads, comments, email threads) and confirm whether the architecture treats that content as data or as instructions.
  • Inventory every domain on your agent output allowlists and CSPs. Verify live registration and ownership for each; remove any domain whose registration has lapsed or whose DNS no longer resolves to trusted infrastructure.
  • Wrap agent actions that emit customer records, mutate CRM state, or hit paid or sensitive APIs in a step-up approval path, regardless of destination URL.
  • Instrument agent outputs with data-sensitivity labels and volume metrics. Alert when an agent attempts to exfiltrate bulk records, even to an allowlisted URL.
  • Where structural change is feasible, adopt a dual-LLM or tool-isolation pattern so the component that reads untrusted user input is not the component that holds tool authority.

2 additional considerations

Allowlist domain ownership monitoring

Beyond the techniques above, teams relying on domain allowlists (CSP, Trusted URLs, agent output whitelists) should layer in continuous monitoring of every allowlisted domain's registration and DNS state, because an attacker-reclaimed expired domain silently downgrades the entire policy.
Recommendation: Run a daily scheduled check against every allowlisted domain: registration still held by your organisation or a named trusted vendor, and DNS/MX/NS still pointing to expected infrastructure. Alert on any deviation; do not run this monthly.

Egress-volume anomaly detection on agent outputs

Beyond URL allowlisting, defenders should log what the agent actually transmits and tag each call with data sensitivity and record count. A single lead sent to a third-party form is normal; a bulk list of all customer leads is not, regardless of destination.
Recommendation: Instrument agent tool invocations with per-call data-sensitivity labels and record-count metadata. Rate-limit or step-up on high-volume or high-sensitivity sinks even when the URL is on the allowlist.

Conclusion

ForcedLeak is a canonical case for why agentic AI safety has to be defence-in-depth. Three separate layers could have stopped this chain — input validation at ingest, authority scoping on the agent's action set, or sink-level policy on data egress — and any one holding would have prevented the exfil. AIDEFEND  covers each layer; the lesson here is that a static URL allowlist is too brittle to be the primary exfil control, and every allowlist must be paired with ongoing domain hygiene and egress-volume monitoring.