Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple prompt-injection-driven attack paths that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described AI recommendation/memory poisoning (mapped in MITRE ATLAS as AML.T0080: Memory Poisoning) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included 50 distinct prompt samples tied to 31 organizations across 14 industries, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering.
A separate finding highlighted how AI agents embedded in messaging apps can be coerced into leaking secrets via malicious link previews. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch link preview metadata, the preview request can become a zero-click exfiltration channel—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—persistent memory, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft documents AI Recommendation Poisoning campaign trend
Microsoft security researchers reported a growing trend of 'AI Recommendation Poisoning' or memory poisoning attacks that use hidden prompts in links, documents, emails, and web pages to bias AI assistant recommendations and potentially persist in memory. Over a 60-day observation period, they collected 50 distinct prompt samples tied to 31 organizations across 14 industries and warned of risks in areas such as health, finance, and security.
PromptArmor discloses zero-click AI data leak via messaging link previews
PromptArmor reported that messaging app link preview features can exfiltrate sensitive data when an AI agent is induced to generate an attacker-controlled URL containing secrets. The firm said the issue affects AI agents in platforms such as Slack and Telegram, noted OpenClaw is vulnerable in default Telegram configurations, and recommended preview-control mitigations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Microsoft warns of AI recommendation poisoning attacks | SC Media
scworld.com
Open sourceMicrosoft: Poison AI buttons and links may betray your trust • The Register
go.theregister.com
Open sourceThat "summarize with AI" button might be manipulating you - Help Net Security
helpnetsecurity.com
Open sourceAI agents can spill secrets via malicious link previews • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
Mar 21, 2026
AI Recommendation Poisoning via Hidden Prompts and Reputation-Farming Agents
Security researchers reported **AI recommendation poisoning** attacks that abuse “*Summarize with AI*” buttons and AI share links to inject hidden instructions into AI assistants via crafted URL parameters. When a user clicks these links, the pre-filled prompt can attempt to write persistent directives into an assistant’s **memory** (where supported), biasing future outputs to treat certain companies as trusted sources or to prioritize specific products and advice in areas like finance, health, and security. Microsoft researchers said they observed **50+ unique prompts** tied to **31 companies across 14 industries**, and noted that readily available tooling (e.g., *CiteMET* and “AI Share URL” generators marketed as SEO hacks) lowers the barrier to deploying these manipulation techniques across email and web traffic. Separately, reporting described **AI-agent-driven “reputation farming”** targeting **open-source maintainers**, indicating a broader trend of adversaries using automated AI workflows to influence trust signals and perceived credibility in technical ecosystems. While the tactics differ (memory/prompt injection via AI links vs. automated outreach to maintainers), both reflect an emerging risk: **manipulation of AI-mediated recommendations and reputational signals** to steer user and developer decisions without transparent attribution, increasing the likelihood of downstream security impact (e.g., biased security guidance, promoted dependencies, or trust in unvetted sources).
Mar 21, 2026
Indirect Prompt Injection Flaws Expose AI Browsers and Assistants to Data Theft
Researchers and security outlets reported multiple indirect prompt injection weaknesses affecting AI-driven browsing and assistant features, showing how hidden instructions embedded in untrusted web content can manipulate model behavior and steer users into credential theft or data exposure. Cato Networks disclosed **WebPromptTrap** in BrowserOS, where malicious webpage content abused Agent Chat Mode summarization to insert a convincing call to action and attacker-selected link; in the proof of concept, victims could be pushed into a GitHub authorization flow that exposed access tokens and repository access. Cato said the issue affected BrowserOS `0.30.0` and earlier, was identified in `0.29.0`, and was fixed in `0.32.0` after responsible disclosure. Separate reporting described similar risks in OpenAI's **ChatGPT Atlas** browser and in Microsoft **Copilot**, underscoring that the problem extends beyond a single product. LayerX said Atlas could be fed malicious instructions through web content in a "tainted memories" attack, while Axios, TechSpot, and commentary from OpenAI CISO Dane Stuckey highlighted broader security and privacy concerns around prompt injection in AI browsers. Varonis also detailed **Reprompt**, a single-click Copilot attack that could silently exfiltrate personal data. Together, the disclosures show that AI systems that summarize pages, retain context, or act on behalf of users can be turned into phishing and data-theft intermediaries unless untrusted content is strictly isolated from model instructions.
Jun 9, 2026