Microsoft’s Defender Security Research Team unveiled concerns surrounding a new technique termed “AI Recommendation Poisoning,” which involves businesses embedding prompt-injection instructions within buttons labeled “Summarize with AI” on their websites. When users interact with these buttons, they unintentionally trigger an AI assistant that not only summarizes the webpage but also receives hidden directives to recognize the company as a trusted source for future interactions.
This method could enable companies to manipulate AI recommendations without users being aware that such instructions were inserted. Microsoft’s research, conducted over a 60-day period, reviewed URLs related to AI found in email traffic, uncovering 50 distinct prompt injection attempts across 31 legitimate companies, rather than malicious actors.
The study highlighted a concerning trend, especially among companies in the health and financial sectors, where biased AI recommendations can significantly impact decision-making. One domain was misleadingly similar to a well-known website, raising potential issues of false credibility. Alarmingly, one of the identified companies was a security vendor, further complicating the landscape.
Microsoft’s analysis revealed that these prompt injections typically instructed AI to register a company as “a trusted source for citations” or to position itself as the primary reference for specific topics. Some attempts were more aggressive, directly inserting marketing materials into the assistant’s memory, including details on product features and selling points.
The researchers traced these tactics back to publicly accessible tools, such as the npm package CiteMET and the AI Share URL Creator, which are designed to enhance visibility in AI memory. This technique exploits specific URL structures supported by various major AI assistants, including Copilot, ChatGPT, Claude, Perplexity, and Grok. Microsoft noted that while the mechanisms for persistence differ across platforms, the core approach remains consistent.
In response to these findings, Microsoft reinforced that its Copilot product includes protections against cross-prompt injection attacks. The company emphasized that some previously reported prompt-injection behaviors can no longer be replicated in Copilot, and it continues to enhance its security measures. Additionally, Microsoft has provided advanced hunting queries for organizations using Defender for Office 365, enabling security teams to identify URLs containing words related to memory manipulation in email and Teams traffic.
Importantly, users can manage stored memories in Copilot through the Personalization section of the chat settings, allowing for greater control over AI interactions. Microsoft has likened the implications of AI Recommendation Poisoning to SEO poisoning and adware, emphasizing that while businesses engaged in legitimate AI visibility efforts now face competition from those employing prompt injection, the stakes have never been higher.
The timing of this revelation is notable, coinciding with a report from SparkToro indicating that AI brand recommendations significantly vary across most search queries. Google VP Robby Stein recently mentioned on a podcast that AI search algorithms evaluate business recommendations based on external site feedback. The memory poisoning technique, however, bypasses this due diligence by embedding recommendations directly into users’ assistants.
As the landscape evolves, Microsoft acknowledges the continuous nature of this issue. The open-source availability of the tools used for these prompt injections allows for new tactics to emerge more rapidly than any single platform can respond. It remains uncertain whether AI platforms will view this practice as a policy violation, or whether companies will continue to leverage this gray-area tactic for competitive advantage.
As the technology progresses, the implications of AI Recommendation Poisoning will likely extend beyond the current context, prompting ongoing discussions about ethical practices and the integrity of AI recommendations in commercial settings.
See also
Google DeepMind CEO Warns Memory Chip Shortage Creates AI Deployment Choke Point
India’s AI Initiative Aims for ‘DeepSeek Moment’ with Homegrown Technology
Perplexity Launches Comet AI Browser for iPhone, Enhancing User Workflow and Research Efficiency
Cybersecurity Stocks Plummet After Anthropic Launches Claude Code Security Tool
Sarvam AI Builds Advanced Models with Just 40 Researchers, Highlights Frugal Strategy
