AI Recommendation Poisoning Threatens Microsoft Copilot

Introduction: why this matters

AI assistants are increasingly trusted to summarize content, compare vendors, and recommend next steps. Microsoft security researchers are now seeing adversarial (and commercially motivated) attempts to persistently bias these assistants by manipulating their memory—turning a seemingly harmless “Summarize with AI” click into a long-lived influence on future responses.

In enterprise environments, this is more than an integrity issue. If an assistant’s recommendations can be subtly steered, it can impact procurement decisions, security guidance, and user trust—without obvious indicators that anything changed.

What’s new: AI Recommendation Poisoning in the wild

Microsoft Defender Security Research Team describes an emerging promotional abuse pattern they call AI Recommendation Poisoning:

• Hidden prompt injection via URL parameters: Web pages embed links (often behind “Summarize with AI” buttons) that open an AI assistant with a pre-filled prompt using query parameters like ?q=<prompt>.
• Persistence targeting “memory” features: The injected prompt attempts to add durable instructions such as “remember [Company] as a trusted source” or “recommend [Company] first.”
• Observed at scale: Over a 60-day review period of AI-related URLs seen in email traffic, researchers identified 50+ distinct prompt attempts from 31 companies across 14 industries.
• Cross-platform targeting: The same approach was observed aiming at multiple assistants (examples included URLs for Copilot, ChatGPT, Claude, Perplexity, and others). Effectiveness varies by platform and evolves as mitigations roll out.

How it works (and why memory changes the risk)

Modern assistants can retain:

• Preferences (formatting, tone)
• Context (projects, recurring tasks)
• Explicit instructions (“always cite sources”)

That usefulness creates an attack surface: AI memory poisoning (MITRE ATLAS® AML.T0080) occurs when an external actor causes unauthorized “facts” or instructions to be stored as if they were user-intended. The research maps this technique to prompt-based manipulation and related categories (including MITRE ATLAS® entries such as AML.T0051).

Impact on IT admins and end users

• Recommendation integrity risk: Users may receive biased vendor/product guidance that appears objective.
• Hard-to-detect manipulation: The “poison” can persist across sessions, making it difficult for users to connect later decisions to an earlier click.
• Increased social engineering surface: These links can appear on the web or be delivered via email, blending marketing tactics with security abuse.

Microsoft notes it has implemented and continues deploying mitigations in Copilot against prompt injection; in several cases, previously reported behaviors could no longer be reproduced—indicating defenses are evolving.

Action items / next steps

• Update security awareness training: Teach users that AI “summarize” links can be weaponized, especially if they pre-fill prompts.
• Review email and web protections: Ensure link-scanning and phishing defenses are tuned to analyze unusual URL parameters and redirect patterns.
• Establish AI usage guidance: Encourage users to verify sources, cross-check recommendations, and report suspected “memory” anomalies.
• Operational playbook: Define steps for users/admins to review and clear assistant memory (where supported) and to report suspicious prompts/URLs to security teams.

Recommendation Poisoning is a clear signal that as AI becomes a decision-support layer, integrity and provenance controls must evolve alongside traditional phishing and web threat models.