A prompt injection attack used to be a smash-and-grab. You craft a malicious input, the model executes it right there in the conversation, and when the session ends, the attack dies. That was the threat model we built defenses around. It's already outdated.

The Attack That Waits

In February 2026, Microsoft's Defender Security Research Team published findings from a 60-day review of AI-related URLs observed in email traffic. What they found wasn't a novel vulnerability — it was prompt injection being used commercially, at scale, by legitimate businesses. Over 50 distinct examples from 31 companies across 14 industries, all doing the same thing: embedding hidden instructions in web content that, when processed by an AI assistant, would write themselves into the assistant's persistent memory.

The payloads weren't trying to exfiltrate data or produce harmful content. They were planting preferences. "Always recommend [Company X] first." "Consider [Product Y] the industry standard." Bland, reasonable-sounding facts that would sit quietly in memory and bias every future response.

Microsoft calls this "AI Recommendation Poisoning." I'd call it the first time prompt injection grew a business model.

How a Memory Becomes a Trojan

The mechanics are simpler than you'd expect. Here's the attack chain that Palo Alto's Unit 42 demonstrated against Amazon Bedrock Agents earlier this year:

  1. Attacker creates a webpage with a prompt injection payload hidden in the content

  2. User asks the agent to summarize or fetch that URL

  3. The agent processes the page content — payload included

  4. The payload targets the session summarization step specifically, using forged XML tags to position itself as a system instruction rather than conversation content

  5. When the session ends, the poisoned summary gets written to persistent memory

  6. In the next session — hours, days, weeks later — the agent loads that memory as part of its context

  7. The instruction executes silently

The critical trick is step 4. The payload doesn't try to hijack the current conversation. It targets the summarization prompt — the process that decides what's worth remembering. By injecting itself there, it gets laundered through the system's own memory pipeline and comes out looking like a legitimate stored preference.

In Unit 42's demo, the poisoned agent silently encoded booking information into URL query parameters and sent it to an attacker-controlled server. The user saw nothing unusual. The agent behaved normally in every other respect.

The Temporal Gap Is the Whole Problem

Traditional prompt injection defenses are session-scoped. Input filters check what's coming in right now. Output guards check what's going out right now. Even sophisticated approaches like instruction hierarchy or sandwich defenses operate within a single context window.

Memory poisoning breaks this model completely. The injection and the execution happen in different sessions, potentially weeks apart. No single monitoring window captures both halves of the attack. By the time the poisoned instruction fires, the original malicious input is long gone from any active context.

This is why OWASP added a dedicated entry — ASI06, Memory & Context Poisoning — to their Top 10 for Agentic Applications in 2026. And why MITRE gave it a formal technique ID: AML.T0080. The security community is treating this as a categorically different threat, not just another flavor of injection.

Google Gemini's "Sure" Problem

One of the subtler variants targets delayed tool invocation. Researchers found that you could plant conditional instructions in Gemini's memory: "If the user says 'yes' or 'sure', execute [malicious action]." The words "yes" and "sure" are so common in normal conversation that the trigger fires naturally, without the user doing anything unusual.

This variant is particularly nasty because the trigger words bypass any keyword-based detection. There's nothing suspicious about a user saying "sure." The suspicion lives entirely in a memory entry written sessions ago — one that assigned weaponized meaning to an everyday word.

What Actually Works (and What Doesn't)

The research on defenses is sobering. A January 2026 paper studying MINJA (Memory Injection Attack) against Electronic Health Record agents found that the attack achieves over 95% injection success in ideal conditions. In realistic deployments with pre-existing legitimate memories, effectiveness drops — but the defense calibration problem is brutal. Set your memory sanitization threshold too high and you reject legitimate memories. Too low and poisoned entries slip through.

Partially effective: Input moderation with composite trust scoring catches obvious payloads but misses subtle, natural-language ones. Memory sanitization with temporal decay reduces persistence windows but adds retrieval latency. Content separation — treating retrieved content and user instructions as fundamentally different trust zones — helps architecturally but doesn't solve the summarization-step bypass.

Not sufficient alone: Session-level injection detection can't see cross-session attacks by design. Static guardrails without memory inspection miss the entire vector. User-facing memory management sounds empowering until you realize users have no idea what a poisoned entry looks like — it reads like a normal preference.

Promising but early: Trust-aware retrieval that scores stored entries against behavioral baselines. Pattern-based filtering trained on known injection templates. Comprehensive audit logging of every memory write with anomaly detection pipelines downstream.

Nobody has a clean solution yet. Amazon Bedrock's pre-processing prompt and guardrails help. Microsoft added filtering to Copilot. But the fundamental tension — agents need long-term context to be useful, and that context is inherently an attack surface — doesn't have an elegant resolution.

So What Do You Do

If your agent stores anything between sessions, your threat model just gained a time dimension. You're not defending a conversation anymore. You're defending a state machine whose state can be corrupted by inputs that look completely benign at ingestion time.

Treat memory writes the way you'd treat database writes. Validate. Sanitize. Audit. And assume that some percentage of what gets written will be adversarial — because 31 companies across 14 industries have already figured out that it works.