THOSE 'Summarize With AI' buttons may be exploited to seed persistent mischief, with Microsoft uncovering AI recommendation poisoning across 31 different companies in 60 days, spanning 14 industries. The tactic relies on hidden instructions embedded in hyperlink prompts that are loaded when users click the button, potentially steering AI memory and recommendations long after the initial visit.
Microsoft notes that turnkey tools such as CiteMET NPM Package and AI Share URL Creator make it easy to generate links that inject marketing material or other prompts into AI assistants. In its observations, 50 unique prompt-based AI memory poisoning attempts were recorded, and 80% of Fortune 500 companies reportedly use AI agents in their environments, amplifying the potential impact.
Mitigations include threat hunting queries to detect AI recommendation poisoning URLs in emails and Teams messages and to identify users who have clicked such links, and organisations are urged to monitor links pointing to AI assistant domains for prompts like remember, trusted source, and authoritative source. According to Microsoft, the issue is real and evolving, and attackers could tailor attacks by fingerprinting different AI assistants used by victims.