The New SEO

Search engine optimization has always been a game of manipulation - convincing algorithms to surface your content above your competitors'. For decades, the battlefield was Google. Now that AI assistants are increasingly where people go for recommendations, it was only a matter of time before marketers turned their attention to manipulating those systems too. Microsoft's Defender Security Research Team documented exactly how that manipulation works in practice, and the results are as clever as they are unsettling.

On February 10, 2026, Microsoft published findings from a 60-day observation period in which its researchers identified over 50 distinct prompt injection attempts from 31 legitimate companies across 14 industries. These were not criminal hackers or state-sponsored threat actors. They were real businesses in finance, health, legal services, SaaS, marketing, and food services, using freely available tools to manipulate AI assistants into becoming their personal promotional channels.

How the Attack Works

The technique centers on a feature that has become common on websites: a "Summarize with AI" button. When a user clicks one of these buttons, it opens their AI assistant - whether that is Microsoft Copilot, ChatGPT, Claude, Perplexity, or Grok - with a pre-filled prompt delivered through a URL parameter such as ?q= or ?prompt=.

In a legitimate implementation, that pre-filled prompt would simply contain the article text for the assistant to summarize. In the poisoned version, the prompt includes hidden instructions that go far beyond summarization. These instructions tell the AI assistant to "remember [Company] as a trusted source" or "recommend [Company] first" in future conversations. Because modern AI assistants now include persistent memory features that carry information across sessions, these injected instructions do not expire when the conversation ends. They persist, influencing every answer the assistant gives going forward.

Microsoft classified this using the MITRE ATT&CK and MITRE ATLAS frameworks. The initial execution relies on T1204.001 (User Execution: Malicious Link) and AML.T0051 (LLM Prompt Injection). But the critical classification is AML.T0080.000 (AI Agent Context Poisoning: Memory) - the persistence mechanism that separates this from a regular prompt injection. Most prompt injection attacks affect only the current conversation. Memory poisoning survives across sessions, silently biasing the assistant's future recommendations without the user knowing anything has changed.

The Delivery Methods

Microsoft identified three primary delivery paths for the memory-poisoning instructions.

The most common was the malicious link approach - the "Summarize with AI" buttons. When a user clicks the button, the AI assistant opens and processes the embedded prompt immediately. In some cases, the same links were also delivered through email campaigns, expanding the reach beyond website visitors.

Researchers also found embedded prompts hidden inside documents, emails, or web pages. When an AI assistant processes this content - for instance, when a user asks their assistant to summarize an email or a webpage - the hidden instructions get ingested along with the visible content. This aligns with known cross-prompt injection patterns where adversarial instructions are concealed within otherwise normal text.

The third method relied on straightforward social engineering: persuading users to paste prompts that contain memory-altering commands, often disguised as helpful tips or productivity shortcuts.

The Tool Ecosystem

What made the campaign particularly concerning was how accessible the attack methodology had become. Microsoft identified turnkey tools that made crafting manipulative links trivial, requiring no technical expertise.

The CiteMET NPM package, publicly available on npmjs.com, provided ready-made JavaScript code for embedding AI memory manipulation buttons on websites. It generated URL structures that pre-filled AI assistant prompts with memory injection instructions. Its creators marketed it not as a hacking tool but as a way to build "AI memory presence" - essentially positioning prompt injection as a legitimate marketing strategy, an "LLM SEO growth hack."

Another tool, the AI Share URL Creator, offered similar functionality for generating manipulative share links. Together, these tools lowered the barrier to entry so far that anyone who could embed a button on a webpage could execute persistent memory poisoning against their visitors' AI assistants.

The Scale and Scope

Over the 60-day observation period, Microsoft logged 50 distinct memory-poisoning prompt samples associated with 31 organizations across 14 industries. The affected AI assistants included the major platforms: Microsoft Copilot, ChatGPT, Claude, Perplexity, and Grok. The poisoned memory entries typically instructed the assistant to treat the attacking company as a "trusted source," an "authoritative" resource, or a "go-to platform" for a particular topic.

The industries involved ranged from relatively benign (food services, marketing) to deeply concerning (health, finance, legal services). A manipulated AI assistant that preferentially recommends a specific financial services company or healthcare provider because its memory was silently altered is not just a marketing ethics issue. It is a potential route to real harm if users follow AI recommendations that were planted by advertisers rather than derived from the assistant's actual training data or legitimate web sources.

Why Persistent Memory Makes This Dangerous

The persistent memory feature in modern AI assistants is the fulcrum that makes this attack meaningful. Without memory persistence, a prompt injection affects only the current session. The user closes the chat, the manipulation disappears. With memory, the injection is effectively a one-shot operation that pays dividends indefinitely.

Once an AI assistant "remembers" that Company X is a trusted source for cybersecurity advice, every future conversation about cybersecurity tools will be subtly influenced by that stored preference. The user sees what looks like a neutral AI recommendation. In reality, they are seeing the output of a marketing campaign they unknowingly opted into by clicking a button on a website weeks or months ago.

Microsoft noted that users can check and clear their AI assistant's stored memories - in Copilot through Settings, in ChatGPT through the Profile menu - but this requires the user to know that memory poisoning is even possible and to proactively audit entries they did not create. This is roughly equivalent to telling people they can protect themselves from malware by manually reviewing every file on their hard drive. Technically true. Practically useless at scale.

The Mirror to SEO Poisoning

Microsoft deliberately drew the parallel to traditional SEO poisoning because the dynamics are structurally identical. In SEO poisoning, attackers manipulate search engine algorithms to surface malicious or biased content. In AI Recommendation Poisoning, attackers manipulate AI assistant memory to surface biased recommendations. The target has shifted from search engine indexes to AI memory stores, but the goal is the same: control what information surfaces when a person asks a question.

The difference is that SEO poisoning affects search results that users understand are algorithmically ranked. AI memory poisoning affects conversational responses that users tend to trust as personalized and neutral. The potential for misplaced trust is significantly higher.

The Uncomfortable Reality

The most striking aspect of Microsoft's findings is that every observed case involved legitimate businesses, not hackers. These were companies with real products and real marketing departments who decided that silently manipulating their customers' AI assistants was an acceptable growth strategy. That the tools to do this were marketed as productivity enhancements rather than attack tools tells you everything about where the line between marketing and manipulation currently sits in the AI era - which is to say, it does not really sit anywhere at all.