This work addresses a critical vulnerability in current retrieval-augmented generation (RAG) systems, which are susceptible to limited-coverage and easily detectable attacks when handling cross-topic, semantically connected query networks. The authors propose DiscourseFlip, a black-box, discourse-level opinion manipulation attack that formalizes this threat model for the first time, overcoming the constraints of traditional single-query or locally scoped attacks. Leveraging a graph-structured agent mechanism and a dynamic poisoning allocation algorithm, DiscourseFlip orchestrates opinion shifts across a multi-topic query space under tight budget constraints. Experimental results demonstrate that DiscourseFlip substantially outperforms baseline methods in both coverage and effectiveness, while user studies confirm its high stealthiness. Moreover, existing defense mechanisms prove largely ineffective against this novel attack paradigm.

Retrieval-Augmented Generation (RAG) systems are widely deployed and increasingly influential, but their reliance on external corpora exposes new security risks from poisoned retrieval content. Existing RAG attacks are largely focusing on individual queries or narrow topic-local query sets, which limits their practical reach and offers limited camouflage in real-world settings. In this paper, we introduce discourse-level opinion manipulation, a new threat model in which coordinated influence across a semantic query network induces opinion shifts over a holistic, multi-topic query space. We formalize this threat in a black-box setting and propose DiscourseFlip, an agentic, graph-guided attack that dynamically allocates a limited poisoning budget to maximize discourse-level opinion deviation. Extensive experiments demonstrate that DiscourseFlip consistently induces targeted opinion shifts across the contextualized query network and significantly outperforms existing baselines in terms of coverage and effectiveness. User studies further confirm that DiscourseFlip is effective while remaining well camouflaged from user detection. Moreover, systematic analyses show that existing mitigation strategies are ineffective against discourse-level manipulation, underscoring the urgent need for more robust and adaptive defenses to address discourse-level vulnerabilities.