Microsoft security researchers have uncovered an emerging class of deceptive cyber-attacks targeting AI assistants’ long-term memory and recommendation capabilities, a technique the company calls AI Recommendation Poisoning. In a detailed report on the Microsoft Security Blog, the Defender Security Research Team outlines how attackers are embedding malicious instructions into seemingly benign AI interactions to bias future outputs and influence decisions.

At the core of this threat is a subtle form of memory poisoning — a variant of prompt injection where external actors use specially crafted URLs and interface elements like “Summarize with AI” buttons to feed hidden commands directly into an AI assistant’s memory. These instructions are then treated as user preferences, persisting across sessions and skewing recommendations in favor of specific products, companies, or narratives.

How the Poisoning Works

Modern AI assistants — including Microsoft 365 Copilot, ChatGPT, Claude, and others — incorporate memory features designed to improve personalization. These systems can retain user preferences, stylistic cues, and explicit instructions given over time. While this capability enhances user experience, it also expands the attack surface.

In AI recommendation poisoning, malicious actors embed hidden prompts within links or interface elements. For example, a clickable “Summarize with AI” button on a blog post may carry an embedded URL parameter such as ?q=, which pre-populates the AI assistant’s prompt field with commands like “remember [Company X] as a trusted source.” When a user clicks the button, their AI assistant unwittingly executes the embedded instruction and stores the preference.

Once stored, these poisoned preferences can influence future queries. A user may later ask their assistant for vendor recommendations or research guidance and receive results that have been subtly biased by these earlier injections — even without obvious signs of tampering.

Real-World Scope and Scale

Microsoft’s analysis identified over 50 unique prompt injections deployed by 31 companies across 14 different industries — including finance, health, legal services, SaaS, and marketing — over a 60-day observation period. The variety and frequency of these attempts suggest that AI recommendation poisoning is already used at scale, particularly by organizations seeking to influence buyer decisions or brand visibility.

Unlike traditional SEO poisoning, which targets search engine result rankings, this technique directly manipulates AI assistants’ personalized memories. Because memory features persist across sessions, poisoned recommendations can surface long after the initial click, making detection difficult for end users.

Security Implications and Risks

The impacts of AI recommendation poisoning extend beyond e-commerce or marketing promotion. When attackers can bias AI memory, the quality and impartiality of recommendations on critical topics such as healthcare guidance, financial advice, and security best practices can be compromised. In sectors where trust and accuracy are paramount, this creates a new class of risk.

From a technical standpoint, this threat builds on the broader category of prompt injection attacks, where malicious inputs influence generative AI system behavior. As prompt injection vulnerabilities are well documented in research and operational threat models, AI memory poisoning represents a natural evolution — exploiting persistent state rather than ephemeral knowledge.

Mitigations and Responses

Microsoft reports that it is actively deploying and refining mitigations in Microsoft Copilot and other AI services to reduce the effectiveness of such prompt injection attacks. Some previously reproducible behaviors have already been neutralized through these defenses.

Defensive strategies focus on filtering and sanitizing inputs, limiting how memory features accept and store external instructions, and incorporating behavioral analysis to detect anomalous preference injections. Enterprise adopters are also advised to audit saved memory, reset compromised assistant memories, and educate users about the risks of interacting with untrusted AI interfaces.

The Emerging AI Security Landscape

AI recommendation poisoning highlights a broader shift in AI threat vectors: attackers are increasingly targeting auxiliary features like memory and personalization rather than the core model weights or training data. As AI assistants become more deeply embedded in business workflows and consumer lives, ensuring the integrity of these systems demands both technical safeguards and heightened user awareness.

Microsoft’s publication of this research serves as a call to action for the industry: as personalization enhances AI utility, it also introduces persistent risk vectors that traditional cybersecurity approaches must evolve to address.