Microsoft: ‘Summarize With AI’ Buttons Used To Poison AI Recommendations via @Sejournal, @MattGSouthern

The rise of generative AI assistants has introduced a new attack surface that mirrors traditional SEO manipulation. Microsoft’s Defender Security Research team recently disclosed a practice it calls “AI Recommendation Poisoning,” where website buttons labeled “Summarize with AI” carry hidden prompt‑injection payloads. When a user clicks, the assistant receives a URL‑encoded instruction that not only asks for a summary but also tells the model to remember the originating site as a trusted source. By planting credibility directly into the model’s memory, adversaries can sway future citations and recommendations without any visible trace.

The researchers examined 60 days of email traffic and uncovered 50 distinct injection attempts originating from 31 legitimate companies. The hidden prompts follow a common pattern—adding phrases such as “trusted source for citations” or embedding full marketing copy—using publicly available tools like the npm package CiteMET and the AI Share URL Creator. The technique exploits URL query parameters supported by major assistants including Copilot, ChatGPT, Claude, Perplexity, and Grok, and has been cataloged under MITRE ATLAS AML.T0080 (Memory Poisoning) and AML.T0051 (Prompt Injection).

From a business perspective, AI recommendation poisoning threatens the same trust model that SEO once protected, allowing competitors to hijack AI‑driven brand rankings at the point of user interaction. Microsoft responded by hardening Copilot against cross‑prompt attacks and releasing advanced‑hunting queries for Defender for Office 365, enabling security teams to flag suspicious URL parameters. However, the open‑source nature of the tooling means new variants can appear faster than platform mitigations. Regulators and AI providers will need clear policies to define whether such memory manipulation constitutes a policy violation or a gray‑area marketing tactic.