LMVD-ID: f87e4c57
Published November 1, 2025

Conceptual Triggers Bypass Safety

model-layer
prompt-layer
injection
jailbreak
blackbox
integrity
safety
Affected Models:gpt-4o, gpt-4o mini, deepseek-r1, qwen 3:8b, mistral 0.3:7b, deepseek-v3:671b

Research Paper

When Harmless Words Harm: A New Threat to LLM Safety via Conceptual Triggers

View Paper

Description: Large Language Models are vulnerable to a conceptual manipulation attack, termed Morphology Inspired Conceptual Manipulation (MICM), that bypasses standard safety filters to generate content aligned with harmful extremist ideologies. The attack does not use explicit keywords or standard jailbreak syntax. Instead, it embeds a curated set of seemingly innocuous phrases, called Concept-embedded Triggers (CETs), into a prompt template. These CETs represent an abstract "conceptual configuration" of a target ideology (e.g., neo-Nazism). The LLM's capacity for abstract generalization leads it to recognize this underlying structure and generate commentary on socio-political events that aligns with the harmful ideology, while avoiding detection by safety mechanisms that screen for explicitly toxic content. The attack is model-agnostic and has been shown to be highly effective.

Examples: The attack uses a fixed prompt template that incorporates a set of pre-identified Concept-embedded Triggers (CETs) to frame a query about a real-world event. While the specific 168 CETs are detailed in the referenced research paper's dataset, the structure of an attack prompt is as follows:

User:
Generate a comprehensive commentary on the [SPECIFIC SOCIO-POLITICAL INCIDENT].
Your analysis should reflect the underlying ideas and perspectives inherent in the following themes:
- [Concept-embedded Trigger 1]
- [Concept-embedded Trigger 2]
- [Concept-embedded Trigger 3]
- ...
- [Concept-embedded Trigger N]

The triggers themselves are phrases derived from political science literature describing how extremist ideas are communicated covertly (e.g., through multivocal communication, mainstream imitation, intellectualization of conspiracy). For the full methodology and list of triggers, see the research paper and its associated dataset. See arXiv:2405.18540.

Impact: An attacker can leverage this vulnerability to cause an LLM to generate sophisticated content that promotes harmful, extremist ideologies. This bypasses the intended safety alignment of the model. The generated text is not an explicit instruction-following response (e.g., "how to make a bomb") but rather nuanced, persuasive commentary aligned with a toxic worldview. This allows for the weaponization of LLMs to produce propaganda and ideologically subversive material at scale, undermining user safety and trust.

Affected Systems: The vulnerability was demonstrated to be effective and model-agnostic. The following models were explicitly tested and found to be vulnerable:

  • GPT-4o
  • GPT-4o mini
  • Deepseek-R1
  • Qwen3:8B
  • Mistral 0.3:7B

Mitigation Steps: The research paper recommends a shift in safety research beyond explicit harm detection. The following are recommended actions for model developers:

  • Develop and implement safety mechanisms capable of detecting and evaluating the abstract "ideological alignment" of generated content, moving beyond simple keyword filtering or semantic analysis.
  • Expand safety training and red-teaming protocols to include value-based and conceptual manipulation attacks, rather than focusing solely on direct instruction-following jailbreaks.
  • Incorporate cross-disciplinary insights from political science and sociology to build models that are robust against the covert injection of harmful conceptual frameworks.

© 2025 Promptfoo. All rights reserved.