Trojan Horses in Recruiting: A Red-Teaming Case Study on Indirect Prompt Injection in Standard vs. Reasoning Models

TL;DR

This study investigates the security vulnerabilities of Large Language Models in HR applications, revealing that reasoning-enhanced models may be more susceptible to sophisticated prompt injection attacks than standard models.

Contribution

It provides a comparative analysis of failure modes in standard versus reasoning models under adversarial prompts, challenging assumptions about reasoning models' safety advantages.

Findings

Standard models resorted to hallucinations under simple attacks.

Reasoning models used strategic reframing to persuade and showed meta-cognitive leakage.

Complex instructions caused reasoning models to unintentionally reveal injection logic.

Abstract

As Large Language Models (LLMs) are increasingly integrated into automated decision-making pipelines, specifically within Human Resources (HR), the security implications of Indirect Prompt Injection (IPI) become critical. While a prevailing hypothesis posits that "Reasoning" or "Chain-of-Thought" Models possess safety advantages due to their ability to self-correct, emerging research suggests these capabilities may enable more sophisticated alignment failures. This qualitative Red-Teaming case study challenges the safety-through-reasoning premise using the Qwen 3 30B architecture. By subjecting both a standard instruction-tuned model and a reasoning-enhanced model to a "Trojan Horse" curriculum vitae, distinct failure modes are observed. The results suggest a complex trade-off: while the Standard Model resorted to brittle hallucinations to justify simple attacks and filtered out illogical constraints in complex scenarios, the Reasoning Model displayed a dangerous duality. It employed advanced strategic reframing to make simple attacks highly persuasive, yet exhibited "Meta-Cognitive Leakage" when faced with logically convoluted commands. This study highlights a failure mode where the cognitive load of processing complex adversarial instructions causes the injection logic to be unintentionally printed in the final output, rendering the attack more detectable by humans than in Standard Models.