What happened
On June 22–23, 2026, Microsoft published detailed security guidance on memory poisoning attacks against Microsoft Foundry Agent Service. The post describes how adversaries can manipulate what agents write into long-term memory (user profile, session summary, procedural memory) to persistently influence future agent responses, tool usage, and workflows — and provides concrete defenses including memory scope controls, TTL policies, write-path hardening, and a hardened hosted-container agent reference architecture.
Why it matters
Agent memory is a largely undefended persistence vector: a single poisoned memory item can corrupt all future interactions for that agent/user scope. As Foundry Agent Service adoption grows, memory poisoning becomes a primary attack path for persistent prompt injection without any per-session attack surface. This is the first authoritative vendor guidance on the threat model and countermeasures.
Applicability
Teams building or deploying agents on Microsoft Foundry Agent Service (Azure AI Foundry); architects designing multi-session agentic workflows. Implement memory scope restrictions, TTL policies, and the reference hardened container architecture immediately for any production agent with long-term memory enabled.