In a new cybersecurity alert, Microsoft security researchers have identified a rising threat they call “AI Recommendation Poisoning,” a sophisticated technique designed to manipulate artificial intelligence systems in order to bias future recommendations and responses.

The attack exploits modern AI assistants’ memory features — like those in Microsoft 365 Copilot and other generative AI tools — by embedding hidden instructions in seemingly helpful actions such as “Summarize with AI” buttons. When users click these links, the embedded code can instruct the AI to store specific “trusted” sources or prioritise particular companies in later interactions.

How the Manipulation Works

Researchers found that attackers are embedding prompts into URLs that, once executed, prompt the AI assistant to remember and recommend certain sources. These prompts are often disguised within everyday web interactions, making them difficult for users to spot. For example, a hyperlink might instruct an AI assistant to recommend a specific service or website as the preferred choice in future responses — subtly shaping decisions over time without a user’s awareness.

In their analysis, Microsoft’s Defender Security Research Team identified more than 50 unique manipulation prompts across 31 different companies in 14 industries. These instructions leverage URL query parameters that many popular AI assistants support, including Copilot, ChatGPT, Claude, Perplexity, and Grok.

Why This Is a Concern

The danger of recommendation poisoning goes beyond harmless suggestions or targeted advertising. Because AI assistants increasingly influence decisions in areas such as healthcare, finance, and security, a poisoned recommendation could — over time — push users toward biased, incomplete, or self-serving information. Users might not realise their AI’s suggestions have been compromised until outcomes are already shaped by these manipulations.

For instance, a business leader could unknowingly commit to an expensive technology partnership after an AI assistant consistently prioritises that provider due to poisoned memory. While such scenarios remain hypothetical, Microsoft researchers consider them plausible enough to merit urgent attention.

Industry Response and Mitigations

Microsoft says it has already begun deploying protections against these kinds of prompt injection attacks in products like Copilot. Reportedly, several previously successful manipulation techniques can no longer be reproduced thanks to updated defensive measures — though the company acknowledges that defenses will need to evolve as attackers adapt.

This latest finding builds on broader concerns across the cybersecurity community about adversarial AI attacks, where machine learning systems are manipulated not just at training time but during real-world use to influence behaviour and outcomes.

What Users Should Do

Security experts recommend that organisations and individuals remain cautious about clicking on links that invoke AI actions unless they come from trusted sources. Providers of AI tools are also urged to tighten prompt handling and memory validation mechanisms to limit unwanted influence.