{"id":15783,"date":"2026-02-12T00:24:51","date_gmt":"2026-02-12T00:24:51","guid":{"rendered":"https:\/\/newestek.com\/?p=15783"},"modified":"2026-02-12T00:24:51","modified_gmt":"2026-02-12T00:24:51","slug":"companies-are-using-summarize-with-ai-to-manipulate-enterprise-chatbots","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15783","title":{"rendered":"Companies are using \u2018Summarize with AI\u2019 to manipulate enterprise chatbots"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

That handy \u2018Summarize with AI\u2019 button embedded in a growing number of websites, browsers, and apps to give users a quick overview of their content could in some cases be hiding a dark secret: a new form of AI prompt manipulation called \u201cAI recommendation poisoning.\u201d<\/p>\n

So says Microsoft, which this week released research<\/a> on a currently legal but extremely sneaky AI hijacking technique that appears to be spreading like wildfire among legitimate businesses.<\/p>\n

While most \u2018Summarize with AI\u2019 buttons are exactly what they seem to be \u2013 a time-saving way to generate a summary of a website or document \u2013 a small but growing number appear to have strayed from that purpose.<\/p>\n

Here\u2019s how the manipulation works: a user innocently clicks on a website Summarize button. Unbeknownst to them, this button also contains a hidden prompt telling the user\u2019s AI agent or chatbot to favor that company\u2019s products in future responses. The same instruction can also be concealed in a specially crafted link sent to a user in an email.<\/p>\n

Microsoft highlights how this tactic could be used to skew enterprise product research without that bias being detected before it influences decisions. Over a two-month period, its researchers identified 50 examples of the technique being deployed by 31 different companies in dozens of industry sectors, including finance, health, legal, SaaS, and business services. In an ironic twist, this even included an unnamed vendor in the security sector.<\/p>\n

The technique is widespread enough that, last September, MITRE added it to its list of known AI manipulations<\/a>.\u00a0<\/p>\n

AI leverages user preferences<\/h2>\n

AI recommendation poisoning is made possible by user AIs that are designed to ingest and remember prompts as signals of the user\u2019s preferences; if the user says that they favor something, the AI will helpfully remember that preference as part of its profile for that user.<\/p>\n

Unlike prompt injection, in which an attacker manipulates an AI using a one-off instruction, recommendation poisoning has the added advantage of achieving longer-term persistence across future prompts. The AI, of course, has no way of distinguishing genuine preferences from those injected by third parties along the way:<\/p>\n

\u201cThis personalization makes AI assistants significantly more useful. But it also creates a new attack surface;\u00a0if someone can inject instructions\u00a0or spurious facts\u00a0into your AI\u2019s memory, they gain persistent influence over your future interactions,\u201d said Microsoft.<\/p>\n

To the user, everything will seem normal, except that, behind the scenes, the AI keeps pushing the bogus or poisoned responses when they ask it questions in a\u00a0 relevant context.<\/p>\n

\u201cThis matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without users knowing their AI has been manipulated,\u201d said the researchers.<\/p>\n

Pushing falsehoods<\/h2>\n

A factor driving the recent popularity of recommendation poisoning appears to be the availability of open-source tools that make it easy to hide this function behind website Summarize buttons.<\/p>\n

This raises the uncomfortable possibility that poisoned buttons aren\u2019t being added as an afterthought by SEO developers who get carried away. More likely, the intention from the start is to contaminate users\u2019 AIs as a form of self-serving marketing.<\/p>\n

In Microsoft\u2019s view, the dangers go beyond over-zealous marketing, and could just as easily be used to push falsehoods, dangerous advice, biased news sources, or commercial disinformation. What\u2019s certain is that if legitimate companies are abusing the feature, cybercriminals won\u2019t be shy about using it too.<\/p>\n

The good news is that the technique is relatively easy to spot and block, even if you don\u2019t use Microsoft\u2019s Microsoft 365 Copilot or Azure AI services, which the company says contain integrated protections.<\/p>\n

For individual users, this involves studying the saved information a chatbot has accumulated (how this is accessed varies by AI). For enterprise admins, in contrast, Microsoft recommends checking for URLs containing phrases such as \u2018remember,\u2019 \u2018<\/em>trusted source,\u2019\u00a0\u2018in future conversations,\u2019\u00a0\u2018authoritative source,\u2019 <\/em>and\u00a0\u2018cite or citation.\u2019 \u00a0<\/em><\/p>\n

None of this should be surprising. Once, URLs and file attachments were seen as convenient rather than inherently risky. AI is simply following the same path that every new technology must endure as it moves into the mainstream and becomes a target for misuse.<\/p>\n

As with other new technologies, users should educate themselves on the dangers posed by AI. \u201cAvoid clicking AI links from untrusted sources:\u00a0Treat AI assistant links with the same caution as executable downloads,\u201d Microsoft recommended.<\/p>\n

This article originally appeared on CIO.com<\/a>.<\/em><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

That handy \u2018Summarize with AI\u2019 button embedded in a growing number of websites, browsers, and apps to give users a quick overview of their content could in some cases be hiding a dark secret: a new form of AI prompt manipulation called \u201cAI recommendation poisoning.\u201d So says Microsoft, which this week released research on a currently legal but extremely sneaky AI hijacking technique that appears… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15783","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15783"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15783\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}