Microsoft Details 'MCP Tool Poisoning' Attack Targeting Action-Oriented AI Agents
Microsoft Security Blog outlines a new attack pattern where malicious instructions are injected into AI agent tool descriptions, enabling agents to perform unintended actions and exfiltrate data.
Microsoft's security researchers have detailed a novel attack pattern targeting AI agents that are designed to take action, moving beyond simple information retrieval. This technique, dubbed "MCP tool poisoning," exploits the Model Context Protocol (MCP) tools, which are crucial for enabling AI agents to interact with business systems and execute tasks.
The attack chain begins with "tool description poisoning," where an attacker modifies the natural-language metadata that AI agents use to understand and invoke tools. While the tool's name and summary may appear legitimate, hidden malicious instructions are embedded within the description. These instructions can direct the AI agent to perform actions beyond its intended scope, such as retrieving sensitive data.
This poisoning is particularly effective due to "silent re-trust" mechanisms. In many configurations, updates to tool descriptions do not trigger a re-approval workflow, allowing the poisoned instructions to become active without human oversight. This creates a vulnerability in the agentic supply chain, where a compromised or malicious tool provider can silently alter an agent's behavior.
Once the tool description is poisoned and active, a "user invocation" can trigger the attack. When a user interacts with the AI agent, it follows the hidden malicious instructions embedded in the tool description. For instance, a financial analyst asking a routine question might inadvertently cause the agent to collect and transmit sensitive financial records to an unauthorized destination.
The final "exfiltration" phase involves the compromised tool server returning a plausible response to the user while silently logging the exfiltrated data to a threat actor-controlled endpoint. This attack pattern does not exploit vulnerabilities within the AI agent itself but rather within the trust boundaries established by external tool integrations. The agent cannot differentiate between legitimate instructions and malicious ones injected by an upstream maintainer.
Microsoft highlights that this pattern maps to the OWASP Top 10 for Agentic Applications categories ASI02 (Tool Misuse) and ASI04 (Agentic Supply Chain Vulnerabilities). The technique was first disclosed by Invariant Labs in April 2025 and has been observed in 2026 against various enterprise agents.
To mitigate these risks, Microsoft recommends governing the AI tool supply chain by maintaining tenant-level allowlists of approved MCP publishers and servers. Organizations should also review and assess the verifiability of tool provenance. Furthermore, implementing security controls that monitor tool usage, detect anomalous data retrieval, and alert on suspicious outbound communications are crucial steps in defending against MCP tool poisoning.
As AI agents become more integrated into enterprise workflows and their numbers rapidly increase, securing these systems is paramount. The shift from passive information consumption to active task execution introduces new attack surfaces and necessitates robust security practices that extend beyond traditional application security.
This new report from The Hacker News elaborates on Microsoft's findings, emphasizing how attackers can leverage poisoned tool descriptions to make AI agents exfiltrate sensitive company data without triggering standard security alarms. The article highlights that the attack vector bypasses security protocols by presenting malicious actions as routine to the AI agent, underscoring a novel threat to AI-powered systems and data security.