Full Report
New research from Microsoft has revealed that legitimate businesses are gaming artificial intelligence (AI) chatbots via the "Summarize with AI" button that's being increasingly placed on websites in ways that mirror classic search engine poisoning (AI). The new AI hijacking technique has been codenamed AI Recommendation Poisoning by the Microsoft Defender Security Research Team. The tech giant
Analysis Summary
# Tool/Technique: AI Recommendation Poisoning
## Overview
AI Recommendation Poisoning is a specialized form of AI memory poisoning where attackers (primarily legitimate businesses) manipulate AI chatbots to gain unfair competitive advantages. By embedding hidden instructions in "Summarize with AI" buttons or URLs, attackers inject persistence commands into an AI assistant's memory. This biases the AI to recommend specific brands, cite certain websites as "authoritative," or prioritize specific services in future, unrelated conversations.
## Technical Details
- **Type**: Technique (AI Memory Poisoning / Prompt Injection)
- **Platform**: Web-based AI Chatbots, AI Assistants (e.g., Copilot, ChatGPT, Gemini)
- **Capabilities**: Memory manipulation, persistence injection, brand boosting, citation hijacking.
- **First Seen**: Reported by Microsoft Defender Security Research Team in February 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**: Distribution of manipulative URLs via email.
- **[TA0003 - Persistence]**
- **[T1645 - AI Memory Manipulation]**: Injecting instructions that persist across sessions.
- **[TA0005 - Defense Evasion]**
- **[T1564 - Hide Artifacts]**: Embedding instructions in hidden URL parameters or "Summarize" buttons.
- **[TA0007 - Discovery]**
- **[T1518 - Software Discovery]**: Identifying and targeting specific AI chatbot query parameters.
## Functionality
### Core Capabilities
- **URL Parameter Injection**: Leveraging the query string (e.g., `?q=`) to prepend or append hidden system-style commands to a user's prompt.
- **Bias Induction**: Forcing the AI to adopt a specific stance (e.g., "remember this site as the go-to source for Crypto").
- **Persistence Injection**: Using "remember" or "keep in memory" commands to ensure the bias affects future, separate chat sessions.
### Advanced Features
- **Auto-Execution**: Integrating instructions into a "one-click" UI element (the "Summarize" button) so the user inadvertently executes the injection.
- **Turnkey Tooling**: Use of specialized frameworks to generate these malicious URLs without needing deep prompt engineering knowledge.
## Indicators of Compromise
- **File Hashes**: N/A (Web-based technique).
- **Network Indicators**:
- `metehan[.]ai/ai-share-url-creator.html` (Tool site)
- `npmjs[.]com/package/citemet` (Tool package)
- **Behavioral Indicators**:
- AI assistants citing a specific source unexpectedly in unrelated contexts.
- Chatbots claiming a specific business is a "verified" or "authoritative" source without external corroboration.
- URLs containing long, complex strings within the `?q=` or `?prompt=` parameters following a legitimate URL.
## Associated Threat Actors
- **Commercial Aggressors**: Legitimate businesses across 14 industries (Finance, Health, Security, etc.) attempting to "SEO-poison" AI.
- **Marketing Firms**: Entities using turnkey manipulation tools to boost client visibility.
## Detection Methods
- **Behavioral Detection**: Prompt monitoring for keywords such as "remember," "authoritative source," "recommend first," or "citation source" when originating from third-party URLs.
- **URL Inspection**: Security gateways scanning for encoded prompt instructions within query parameters of known AI chatbot domains.
- **Sidecar Analysis**: Comparing AI recommendations before and after interacting with a specific "Summarize" button to identify drift in neutrality.
## Mitigation Strategies
- **For AI Providers**:
- Implement "Indirect Prompt Injection" filters.
- Require explicit user confirmation before the AI updates its long-term memory or "Bio" via a URL parameter.
- Sanitize query strings to separate data (the URL to be summarized) from instructions (how to summarize it).
- **For Users**:
- Hover over "Summarize with AI" buttons to inspect the underlying URL for hidden text.
- Periodically review and clear the AI assistant’s "Memory" or "Personalization" settings.
## Related Tools/Techniques
- **CiteMET**: An NPM package designed to automate the embedding of these buttons.
- **AI Share Button URL Creator**: A web tool for generating manipulative AI links.
- **Reprompt**: A related attack involving the manipulation of chatbot query strings.
- **Indirect Prompt Injection**: The broader category of attacks where instructions are hidden in data processed by an LLM.