MICROSOFT security researchers describe AI memory poisoning as a growing trend used for promotional purposes, a technique they call AI Recommendation Poisoning. The attacks rely on memory-injection prompts embedded in URLs or clickable “Summarize with AI” buttons that pre-fill prompts and execute when the user clicks, enabling one-click manipulation of an AI assistant’s memory.
Across real-world observations, they identified over 60 days of research with 50 distinct prompt-based examples from 31 companies spanning more than a dozen industries, including finance, health, and legal services. The attackers aim to bias future recommendations by causing the AI to remember certain sources as authoritative or trusted, persisting across conversations.
These techniques are recognised in the MITRE ATLAS knowledge base as AML.T0080: Memory Poisoning, and are observed alongside LLM prompt injection and other memory‑related tactics. Microsoft notes mitigations and protections across Copilot and Azure AI services, including prompt filtering, memory controls, and ongoing research into defending against both memory poisoning and related model poisoning.
According to MITRE ATLAS, the tactic is catalogued as memory poisoning, and the report highlights how attackers use pre-filled prompts to influence AI memory and recommendations.