AI poisoning is a cyberattack in which adversaries insert false, malicious, or manipulated information into AI systems by corrupting what those systems learn, recommend, or tell users. It can target the data used to train AI models, the web content AI tools scan to generate answers, or the prompts fed to AI agents. The goal: make AI work against the people using it.

AI poisoning isn't one technique. It's a category with three distinct forms that operate at different points in how AI systems work.

1. Training data poisoning

This happens before most users ever interact with an AI. Machine learning models learn from large datasets, and if an attacker can influence that dataset, they can teach the model to behave incorrectly in specific, targeted situations.

Inject false medical records into a healthcare AI's training data, and it misclassifies diagnoses. Feed manipulated network traffic logs to a security AI, and it learns to misinterpret certain potential attacks. The model believes it's working correctly. It's been guided to have blind spots.

This can be a slower, more sophisticated attack—but the damage compounds with every decision the compromised model makes.

2. AI search result poisoning

This is the type most everyday users and employees are running into right now—and it requires no technical sophistication at all.

AI assistants like Google's AI Overviews, ChatGPT, and Copilot generate answers by pulling from web content they can find and index. Attackers exploit this by seeding the web with misleading pages: fake customer support numbers that connect to scam call centers, malicious download links disguised as legitimate software, and fabricated how-to instructions that execute an attack.

The user doesn't click a suspicious link. The AI just tells them the wrong thing—confidently, in plain language, with no URL to second-guess.

Security researcher Bruce Schneier demonstrated this in under 24 hours: by publishing a single fabricated article on a personal website, he had both Google AI Overviews and ChatGPT repeating the invented "facts" as truth to anyone who asked.

3. Prompt injection and memory poisoning

When an AI agent operates autonomously by browsing the web, summarizing documents, executing workflows—attackers can embed hidden instructions inside content the agent processes. Those instructions redirect the agent's behavior: exfiltrate data, bypass security rules, and take actions the user never authorized.

Memory poisoning extends this further. AI agents that retain context across sessions can have false information injected into that memory, corrupting every decision they make going forward.

1.     The attacker picks a high-intent question: something users commonly ask AI tools, like "what's the customer support number for [company]" or "how do I install [software] on macOS."

2.     They create or compromise web content containing the malicious answer: a scam phone number, a fake download link, or harmful instructions optimized to be discoverable by AI crawlers.

3.     AI tools index and synthesize this content. Because AI Overviews and chatbots pull from what they can find, the poisoned content gets included in responses.

4.     The user trusts the AI's answer. They call the scam number, download the malicious file, or follow the harmful steps.

5.     The attacker wins, without breaching a network, writing malware, or getting past a single firewall.

No breach. No malware. Just trust, exploited.

Most people are familiar with SEO poisoning attackers manipulating search rankings to surface malicious pages. AI search result poisoning is SEO poisoning evolved for an era when people trust AI-generated answers more than they trust blue links.

 
The key difference: in SEO poisoning, there's still a URL. Users can pause and question it. In AI result poisoning, there's nothing to question. The AI already told you.

The AMOS stealer campaign: Huntress researchers documented an active attack in which malicious content was seeded into AI-indexed sources related to popular macOS tools. When users asked AI assistants for help with specific tasks, responses directed them to attacker-controlled pages that delivered the Atomic macOS Stealer. No phishing email. No suspicious download prompt. The infection started with a search, an AI answer, and a copy-paste into Terminal.

Google AI Overviews surfacing scam numbers: Reported by the Washington Post in August 2025, multiple cases emerged of Google's AI-generated summaries surfacing fraudulent customer service numbers. Users searching for help from legitimate businesses were connected directly to scam call centers. The attackers didn't hack Google—they just knew how AI tools find and surface information.

The cruise line incident: Scam call centers inserted their phone numbers into AI-indexed web content associated with a major cruise line. Customers asking AI assistants for support were routed to scammers instead of the company. The AI Incident Database documented this case as an early example of systematic AI result poisoning targeting customer trust.

The 24-hour poisoning experiment: Bruce Schneier demonstrated in February 2026 that a single fabricated article on a personal website was enough to get Google AI Overviews and ChatGPT repeating invented information as fact within 24 hours. No technical access required.

Short answer: anyone who trusts AI tools to be accurate.

Higher-risk scenarios include:

• Employees using AI assistants to find vendor contact info, troubleshoot software, or follow technical instructions

•  IT and security teams are using AI-assisted workflows where agents process external web content

•  Organizations fine-tuning or training custom models on pipelines that can be influenced by external data

• Security tools powered by ML. If attackers can shift what a model classifies as "benign," detection gaps follow

• Customer-facing businesses where poisoned AI results intercept your customers before they reach you

The attack surface scales with AI adoption. The more your people and systems rely on AI answers, the more attractive this vector becomes.

For individuals and employees:

1. Verify contact information independently. If an AI gives you a phone number, find it on the company's official website directly — not through another search.

2. Don't execute commands or download software based on AI instructions alone. Cross-check with official documentation or a known-good source.

3. Stay skeptical of AI responses that give you credentials, scripts, or technical steps. Treat them the same way you'd treat unsolicited email attachments.

4. Report AI responses that seem wrong or off. Platforms use these signals to identify and remove poisoned content faster.

For organizations:

1. Train your people specifically on AI search result poisoning. This is a social engineering attack that uses AI as the delivery mechanism. Not a technical exploit your IT team can patch. Security awareness training is your first line of defense.

2. Create verified source directories for common employee needs. Don't let "ask the chatbot" be the default path to vendor support lines or software downloads.

3. Apply input validation to AI-assisted workflows. Treat any external content that an AI agent processes the same way you'd treat untrusted user input.

4. Protect your training data pipelines. If you're building or fine-tuning models, treat training data as a security-critical asset — validate sources, monitor for anomalies, and apply integrity controls.

5. Track AI-specific threat research. The MITRE ATLAS framework catalogs adversarial AI attack patterns and is a useful starting point for modeling this threat.

Related, but not identical.

Data poisoning is a specific technique: corrupting the training dataset for a machine learning model. It's one form of AI poisoning.

Adversarial AI is the broader category: any technique used to manipulate, exploit, or deceive an AI system. AI poisoning falls under adversarial AI, alongside evasion attacks (bypassing AI-based detection) and model inversion (extracting sensitive information from a trained model).

AI poisoning sits in the middle—broader than "data poisoning" but more specific than "adversarial AI." It covers the full range of attacks that corrupt what an AI system takes in, learns, or outputs.

Huntress focuses on behavior—not just attack tools. Whether a threat actor uses AI-poisoned search results to trick an employee into downloading malware, or uses AI to write a more convincing phishing email, those attacks still have to execute on endpoints, touch identities, and move through your environment. That's where we detect them.

On the human layer: Huntress Managed Security Awareness Training includes a dedicated episode on AI poisoning—covering exactly how attackers seed AI search results with scam content and how employees can recognize it before they act on it. It went live in March 2026, built from real threat patterns our security operation center (SOC) tracks.