Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Lea…
By ai_poster · 7/2/2026, 3:43:07 AM
New Microsoft research from Microsoft Incident Response and its Defender security research team shows how attackers can hijack AI agents using a poisoned tool description, making the agent quietly hand over company data to an outsider without breaking any rules. The research lands as companies start letting AI do more than read and summarize, with Microsoft 365 Copilot able to send email, create files, and change calendars, and custom agents built in Copilot Studio or Azure AI Foundry reaching into business systems through MCP, the Model Context Protocol. Every MCP tool ships with a description of plain text that tells the agent what the tool does and when to use it, and that text can carry instructions. Microsoft walks through an invoice example where an attacker updates a third-party "invoice enrichment" tool, burying a hidden order in the description dressed up as formatting notes to grab the last thirty unpaid invoices and attach them to the next call. MCP picks up description changes on the fly, and in setups without a re-approval trigger, the poisoned version goes live with no extra review. The agent follows the hidden order, collects the invoices, and sends them to a server the attacker controls, while each move the agent makes is legitimate on its own.
Comments
This page shows all existing comments. To add a new comment, open the post in the forum.