Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data

Related

Massive Password Spray Campaign Targets Azure CLI

What happened A massive password spray campaign is targeting Microsoft...

Microsoft Accelerates Quantum-Safe Roadmap as Risks Grow

What happened Microsoft announced that it is accelerating its quantum-safe...

Malicious Edge Extension Abuses Native Messaging to Deploy Python Backdoor

What happened A malicious Microsoft Edge extension dubbed Edgecution has...

Microsoft’s Record 206-CVE Patch Tuesday Signals a New Era of AI-Driven Vulnerability Discovery

What happened Microsoft’s June 2026 Patch Tuesday update included fixes...

Share

What happened

Microsoft warned that attackers can hijack AI agents by poisoning the descriptions of tools connected through the Model Context Protocol.

The research comes from Microsoft Incident Response and Microsoft Defender security researchers. It focuses on how AI agents behave when they are allowed to act on behalf of users, rather than only summarize or generate text.

The Model Context Protocol, or MCP, is an open protocol that lets AI agents connect to outside tools in a way similar to how applications call APIs. Microsoft described MCP as a fast-growing part of the agentic AI supply chain, which also makes it an expanding attack surface.

The weakness comes from how MCP tools describe themselves. Each tool includes a plain-text description that tells the agent what the tool does and when to use it. The agent reads that description when deciding how to act.

In Microsoft’s example, a finance team uses an agent to handle vendor invoices. The agent connects to multiple tools, including a third-party invoice enrichment service. The tool is approved for use, but later the attacker updates its description while keeping the name and visible summary unchanged.

Hidden inside the tool description is an instruction telling the agent to collect the last 30 unpaid invoices and attach them to the next tool call.

Because MCP can pick up description changes dynamically, the poisoned version can become active without a new approval step in default setups.

When an analyst asks a normal question about a supplier, the agent follows the hidden instruction, collects the invoices using the analyst’s own permissions, and sends them to the attacker-controlled tool as part of what appears to be a routine request.

The tool returns a normal answer to the analyst while quietly copying the stolen data to an outside server.

Microsoft said the issue is not a bug in Copilot itself. It is a trust-boundary problem created when AI agents rely on third-party tool descriptions as instructions.

The broader issue is that MCP mixes instructions and data in the same place. A tool description sits in the agent’s working memory near the user’s real request, allowing a malicious description to steer the agent much like a prompt injection attack.

Who is affected

Organizations using AI agents connected to MCP tools may be affected.

The risk is especially relevant to companies using Microsoft 365 Copilot, Copilot Studio, Azure AI Foundry, or custom agents that can send emails, create files, change calendars, query business systems, or run multi-step workflows.

Organizations using third-party MCP tools, internally developed agents, or external business-system connectors should pay attention because the attack does not require the agent to break a rule. It abuses approved tools, normal permissions, and allowed outbound connections.

The most exposed workflows are those involving sensitive business data, including invoices, finance records, customer information, internal repositories, email, calendars, HR data, and operational systems.

Why CISOs should care

This research shows how AI agents introduce a new kind of supply chain risk. Traditional third-party risk focuses on code, access, vendors, and data handling. Agentic AI adds another layer: the words a tool uses to describe itself can become executable influence over the agent’s behavior.

For CISOs, the core risk is silent data exfiltration through legitimate actions. The agent may query approved systems, use the user’s existing permissions, and call an approved external tool, while still leaking sensitive information because the tool description manipulated the workflow.

The attack also shows why least privilege alone is not enough. Microsoft recommends applying “least agency,” meaning agents should not only have limited access, but also limited freedom to act without human review.

This matters as organizations connect agents to business systems. Once AI tools can send messages, retrieve files, update records, move data, and call external services, prompt injection becomes an operational security risk rather than only a content-quality issue.

3 practical actions

  1. Review MCP tools as supply chain components: Microsoft recommends treating every connected tool as part of the agentic AI supply chain. CISOs should maintain an approved tool inventory, restrict agents to specific tools, and avoid broad “allow all” configurations.
  2. Treat tool descriptions like system prompts: A poisoned MCP description can steer an agent’s behavior. Security teams should review description changes, scan tool metadata for hidden commands, and require re-approval when tool descriptions or capabilities change.
  3. Require human approval for risky agent actions: Any agent action that moves money, shares data externally, changes accounts, sends email, or modifies business records should require a person to approve it before execution.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.