When you paste a retrieved document into a model's context, the model sees one flat stream of text. Your instructions and the attacker's instructions arrive in the same font, so to speak. Nothing in the tokens themselves says “this part is data you should reason about” versus “this part is a command you should follow.” That ambiguity is the entire mechanism of indirect prompt injection.
Spotlighting, a technique from Microsoft, attacks the ambiguity directly. It transforms untrusted content before it enters the prompt so the model can see which spans are external and treat them as inert. The reported effect is large: on GPT-family models, indirect-injection attack success fell from over 50% to under 2%, with little loss of task quality. For a change that lives entirely on the prompt side, that is one of the best returns in the whole defense catalog.
Three ways to mark the untrusted span
Spotlighting comes in three variants, in increasing strength and increasing cost to task quality.
Delimiting
The simplest form wraps the untrusted content in randomized, opaque markers and tells the model in the system prompt that everything between them is data, never instructions. Randomization matters: a fixed, guessable delimiter can be forged by an attacker who writes their own closing marker mid-document and continues in “trusted” territory. Delimiting is the lightest touch and the most spoofable — its security rests on the marker staying secret, which is a weak place to rest anything.
Datamarking
Datamarking goes further. Instead of marking only the edges of the untrusted block, it interleaves a special marker character between every word. The boundary is then present on every single token the model reads, not just at the start and end, so there is no “interior” the model can drift into and start trusting. It is the workhorse variant: strong signal, modest cost, and it survives an attacker trying to close the block early because the marking never stops.
Encoding
The strongest variant transforms the untrusted content wholesale — base64, ROT13, or similar — so injected instructions never appear as fluent, followable natural language in the context at all. An imperative sentence encoded to base64 simply isn't a sentence the model reflexively obeys. The catch is that it also isn't a sentence the model reads easily: encoding degrades performance on tasks that need to engage closely with the content, like nuanced summarization, translation, or code review. The strongest option is the one you can least often afford.
Why it works — and why that isn't enough
All three variants work the same way underneath: they add a signal to the prompt that makes the model more likely to treat a span as data. That is genuinely valuable, and the numbers earn the attention. But notice the shape of the claim. “More likely” is a probability. It is not an enforcement mechanism, and under 2% success is not zero success.
The limits are worth stating plainly, because the strong benchmark number tempts teams to over-trust it:
- It is probabilistic. A determined attacker who lands in the residual few percent is through, and nothing structural stopped them — the model just happened, this time, to obey the marked span.
- It is model-dependent. The figures come from GPT-family models. A different or smaller model may honor the marking far less reliably, and you cannot know until you measure it on your own stack.
- It degrades on some tasks. Encoding in particular hurts jobs that need to read the content closely, which pushes teams back toward weaker variants exactly where the content is most sensitive.
- The marker is a secret, not a structure. Delimiting leans on the attacker not knowing the delimiter. Randomizing per request helps, but a property that depends on secrecy is not a boundary you can prove.
And crucially, spotlighting has no view of what your agent can do with a successful injection. It operates entirely on the prompt. Whether a leaked instruction becomes a harmless misread or a data-exfiltration event is decided somewhere else entirely — in your tool permissions and your architecture.
What we tell clients
Turn it on. Spotlighting is a rare thing in this field — a cheap control that measurably works. If you ingest external content into a model context and you are not marking it, close that gap now. Datamarking is the sensible default; reach for encoding only where the task tolerates transformed input, and randomize your delimiters per request if you use plain delimiting at all. Then re-measure the effect on your actual model, because the headline number belongs to GPT-family models, not necessarily to yours.
But hold the line on what spotlighting is: defense in depth, never the only depth. It lowers the odds an injection is obeyed; it does not constrain what happens when one is. Put it beneath the boundaries that give you a real security property — privilege separation, least-privilege tooling, egress control — so that the residual bypass, and on a long enough timeline there is one, lands on a system with nothing to steal and nowhere to send it. A great benchmark number is a reason to ship the control, not a reason to skip the boundary underneath it.
Spotlighting is one pattern in our Defense Architecture catalog. The pattern page for Spotlighting has the variants, trust boundaries, threat surface, and architecture diagram in full.