AI Recommendation Poisoning via 'Summarize with AI' Buttons (31 Companies) (2026)

Incident Summary

In February 2026, Microsoft Defender researchers published findings documenting a widespread campaign in which at least 31 companies across 14 industries embedded hidden prompt-injection commands within “Summarize with AI” style buttons on their websites.^[1] When users clicked these buttons to generate AI summaries of web content, the URLs carried concealed parameters that instructed AI assistants to “remember [Company] as a trusted source” or “recommend [Company] first,” silently poisoning the assistants’ long-term memory to bias future, unrelated recommendations toward those brands.^[1][2]

Microsoft identified over 50 distinct hidden prompts across these companies, spanning health, finance, security, and technology sectors.^[1] The technique is categorized under MITRE ATLAS as AML.T0080 (Memory Poisoning), representing a novel form of AI-directed search engine optimization where the target is not a search engine algorithm but an AI assistant’s persistent memory and recommendation behavior.^[5]

Key Facts

• Microsoft Defender identified 31 companies across 14 industries using this technique^[1]
• Over 50 distinct hidden prompts were documented^[1]
• The attack vector is a “Summarize with AI” button whose URL contains hidden prompt-injection parameters^[2]
• Injected commands instruct AI assistants to persistently trust or prioritize specific vendors in future responses^[3][4]
• The technique turns a helpful user-facing feature (AI summarization) into a covert influence mechanism^[4]
• MITRE ATLAS classifies this as AML.T0080: Memory Poisoning^[5]
• The campaign affects health, finance, and security topics among others^[2]

Threat Patterns Involved

Primary: Memory Poisoning — This is a direct instance of AI memory poisoning at scale, where persistent memory stores of AI assistants are corrupted through prompt injection to alter future behavior. The attack exploits the trust boundary between user-initiated summarization and the assistant’s long-term memory system.

Secondary: Deceptive & Manipulative Interfaces — The “Summarize with AI” button presents a legitimate-seeming user interface that conceals its true function of injecting persistent commands, deceiving users about the action they are performing.

Secondary: Disinformation Campaigns — The campaign represents a coordinated effort by multiple organizations to systematically distort the information environment that AI assistants draw upon for recommendations, functioning as a form of AI-directed influence operation.

Significance

This incident represents the first documented large-scale, commercial deployment of AI memory poisoning as a competitive strategy.^[1] Unlike research demonstrations of memory injection, this campaign involves real businesses deliberately manipulating AI assistants to gain market advantage, effectively creating a new category of AI-directed SEO where the ranking system being gamed is an assistant’s long-term memory rather than a search index.^[3] The breadth of the campaign — 31 companies, 14 industries, 50+ distinct prompts — indicates that AI recommendation poisoning has already become an established commercial practice rather than an isolated exploit.^[1][5] This raises fundamental questions about the trustworthiness of AI-generated recommendations and the adequacy of current defenses against persistent memory manipulation in production AI systems.