MICROSOFT has disclosed a backdoor-like AI hijack technique dubbed AI Recommendation Poisoning, where legitimate businesses embed hidden instructions into Summarize with AI prompts to bias chatbot memory and recommendations. According to Microsoft Defender Security Research Team, researchers found over 50 unique prompts from 31 companies across 14 industries over a 60-day period, designed to cause the AI to remember certain sources or rank them first.
The prompts are delivered via specially crafted URLs that pre-populate memory manipulation instructions when users click a Summarize with AI button on websites, potentially biasing responses on health, finance and security topics without user awareness. Memory poisoning can occur through social engineering or cross-prompt injections, but Microsoft notes this attack uses clickable links that execute prompts automatically.
The firm also highlights turnkey tools that make embedding AI memory manipulation and promotional material on websites easier, raising concerns about transparency and trust in AI-driven recommendations. To mitigate the risk, users are advised to audit assistant memory, hover over AI buttons, avoid untrusted links, and look for prompts containing keywords such as remember or trusted source.