Microsoft has implemented and continues to deploy mitigations against prompt injection attacks in Copilot, the company announced last week. Spammers were using the "Summarize with AI" type of buttons to trick AI engines into believing or trusting a specific company or response.
Microsoft said they call this "AI Recommendation Poisoning." This is where companies are embedding hidden instructions in "Summarize with AI" buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters.
These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future responses toward their products or services. We identified over 50 unique prompts from 31 companies across 14 industries, with freely available tooling making this technique trivially easy to deploy. This matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without users knowing their AI has been manipulated.
This worked against Copilot, ChatGPT, OpenAI, Claude, Perplexity, Grok and others, Microsoft explained.
AI Memory Poisoning occurs when an external actor injects unauthorized instructions or “facts” into an AI assistant’s memory. Once poisoned, the AI treats these injected instructions as legitimate user preferences, influencing future responses," Microsoft wrote.
This is done through malicious links, embedded prompts and social engineering.
Here is an example:
Anyway, these hacks work until they don't.
Heads-up if you are doing this... I have caught this happening during several audits over the past 3-4 months. E.g. "Summarize with AI" buttons with instructions to sway the AI platforms... And btw, if Microsoft is on to this, then you better believe Google is on to it...
— Glenn Gabe (@glenngabe) February 20, 2026
From… https://t.co/RMMOriqsSl
Forum discussion at X.
