What happened
Microsoft Defender Security Research has identified a new AI‑targeted manipulation method dubbed AI Recommendation Poisoning, in which hidden instructions embedded in seemingly benign “Summarize with AI” buttons and links can inject biased prompts into AI assistants’ memory, skewing future chatbot recommendations and responses.
Who is affected
Enterprises and organizations that use AI assistants and large‑language‑model‑based chatbots for research, vendor insights, recommendations, or decision support could see those systems influenced by external actors embedding covert instructions via URLs that execute when users click “Summarize with AI” buttons on web pages or in email.
Why CISOs should care
This technique undermines the integrity and trustworthiness of AI‑generated recommendations by allowing third parties (including legitimate businesses or threat actors) to persistently bias AI memory. The manipulation can influence future outputs in areas where accuracy and neutrality matter, such as security guidance, vendor evaluations, health information, and financial advice, without users realizing their AI has been compromised.
3 practical actions
- Audit AI memory and configuration policies: Establish processes to review and purge untrusted or unexpected memory entries in enterprise AI assistants, and tighten memory retention or default behaviors.
- Harden input validation and link handling: Block or flag AI assistant redirect URLs with unexpected prompt parameters at proxies, gateways, or email filters to reduce inadvertent injection.
- Educate users and developers: Train teams to recognize and avoid clicking unverified AI‑related buttons/links, and validate AI recommendations by requesting sources and reasoning when high‑impact decisions are informed by AI outputs.