Microsoft reveals AI Recommendation Poisoning tactic used by 31 companies to manipulate chatbot memory and bias AI assistants for commercial gain.
Microsoft has uncovered a troubling new cybersecurity threat known as AI Recommendation Poisoning, a tactic used by companies to manipulate chatbot memory and influence AI assistants for commercial advantage.
In a detailed report published on February 10, 2026, on the Microsoft Security Blog, the company’s Defender Security Research Team warned that some businesses are embedding hidden promotional instructions into ordinary website features. These instructions are designed to secretly alter how AI assistants respond to users in future conversations.
How AI Recommendation Poisoning Works
According to Microsoft, the technique often appears through harmless looking website buttons labeled “Summarize with AI.” When users click these buttons, special URL parameters are triggered. These parameters inject concealed commands into the persistent memory of AI assistants.
Once the chatbot memory is altered, the assistant may begin to:
- Treat a specific company as a trusted source
- Prioritize certain products in recommendations
- Promote selected services over competitors
This manipulation can persist over time, subtly shaping responses related to shopping, financial advice, health information, or travel planning. Users are typically unaware that the AI’s recommendations have been biased.
Microsoft emphasized that this is not traditional hacking.
“This is not about attackers breaking into systems,” researchers explained. “It is about legitimate businesses quietly skewing AI recommendations in their favor. Once the memory is poisoned, the assistant can subtly promote one brand over others, eroding user trust and creating unfair market advantages.”
Scale and Industry Impact
Microsoft’s researchers analyzed public websites and internal telemetry data over a 60 day period. The findings are significant:
- More than 50 unique hidden prompts were discovered
- These were linked to 31 different companies
- The companies operate across 14 industries
The report states that the method is technically simple and can be deployed using freely available tools. This lowers the barrier for misuse and increases the likelihood of wider adoption.
Microsoft classifies AI Recommendation Poisoning as a form of AI Memory Poisoning, where unauthorized instructions are inserted into an AI system’s stored knowledge. The company also linked the behavior to known adversarial techniques within the MITRE ATLAS framework, including prompt injection and persistence mechanisms.
Top News: How Vaccines Work: From Development to Immunity
Real World Risks of Biased AI Assistants
The risks extend far beyond product promotion.
Microsoft warned that manipulated AI assistants could steer users toward:
- Biased financial products
- Unverified or unsafe health information
- Overpriced services
- Low quality vendors
In high stakes domains such as medical guidance or investment planning, biased AI responses could result in serious financial or health consequences.
The warning comes at a time when AI adoption in enterprises is accelerating. Microsoft’s Cyber Pulse AI Security Report notes that over 80 percent of Fortune 500 companies now use active AI agents. Many of these systems are built using low code or no code tools, often without robust governance or centralized oversight.
This environment increases the risk of shadow AI deployments and unmonitored vulnerabilities, making AI Recommendation Poisoning harder to detect.
Growing Concerns Around AI Governance
Several cybersecurity outlets, including Help Net Security, have echoed Microsoft’s warning. Experts advise users to avoid clicking unfamiliar “Summarize with AI” buttons, especially on unknown websites. Similar manipulative links have reportedly appeared in email campaigns.
Microsoft has not publicly named the companies involved but acknowledged that the trend is expanding as memory enabled AI assistants become common in browsers, email clients, and productivity platforms.
Security experts argue that stronger safeguards are urgently needed. AI developers must improve how assistants handle external instructions and persistent memory updates. Enterprises must ensure full visibility into their AI systems, including third party integrations and embedded web tools.
The Future of Trust in AI Systems
The discovery of AI Recommendation Poisoning raises broader questions about trust, transparency, and fairness in AI driven ecosystems.
As AI assistants play a growing role in personal decisions, professional workflows, and enterprise operations, even subtle manipulations can have wide reaching consequences. The integrity of chatbot memory and recommendation systems is becoming a critical security frontier.
Microsoft has urged the technology industry to act quickly to strengthen defenses against AI memory vulnerabilities. Without proactive safeguards, the credibility of AI assistants and the broader digital economy could be undermined.
The emergence of AI Recommendation Poisoning signals a new phase in cybersecurity challenges, where influence and subtle manipulation may prove more dangerous than direct system breaches.
Top News: Agentic AI Explained: From Chatbots to Autonomous Decision-Makers
