Microsoft Warns of AI Agent Hijacking via Poisoned Tool Descriptions
Microsoft’s Incident Response and Defender research teams have uncovered a stealthy attack vector targeting AI agents automated systems that perform tasks like sending emails, managing files, or accessing business data. By manipulating a tool’s description within the Model Context Protocol (MCP), attackers can silently exfiltrate sensitive company data without triggering security alerts.
How the Attack Works
AI agents rely on MCP to interact with external tools, using plain-text descriptions to determine when and how to use them. These descriptions, however, can be altered to include hidden instructions. In a demonstrated scenario, an attacker modified a third-party "invoice enrichment" tool’s description to secretly collect and forward unpaid invoices to an external server. The agent, operating under the user’s permissions, executed the request as part of a routine task appearing legitimate at every step.
The attack exploits a fundamental trust gap: MCP blends instructions and data in the same space, making it difficult for agents to distinguish between valid commands and malicious ones. Since the tool itself remains approved and the actions appear normal, traditional security measures may fail to detect the breach.
Real-World Precedents
This technique, dubbed "tool poisoning," has been documented in multiple proof-of-concept attacks:
- April 2025: Invariant Labs demonstrated how a poisoned calculator tool description could extract SSH keys via the Cursor editor.
- September 2025: Koi Security discovered a malicious npm package (postmark-mcp) that secretly BCC’d emails to an attacker after 15 clean releases.
- August 2025: The MCPTox benchmark tested 45 MCP servers and 20 AI models, finding a 72.8% success rate for such attacks, with models rarely refusing the malicious instructions.
OWASP now lists this as a key Agentic Supply Chain Vulnerability in its December 2025 Top 10 for AI applications.
Mitigation Strategies
Microsoft recommends treating connected tools as part of the supply chain, with strict controls:
- Restrict tool access to approved publishers and specific, necessary functions.
- Review tool descriptions like code changes, scanning for unauthorized commands.
- Require human approval for high-risk actions (e.g., data sharing, financial transactions).
- Monitor agent activity with dedicated identities, logging actions and flagging anomalies.
- Apply "least agency" limiting an agent’s autonomy to reduce potential damage.
The research underscores a growing risk: as AI agents gain autonomy, their security hinges on the integrity of the tools they interact with a surface that remains vulnerable to manipulation.
Source: https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
Invariant Labs cybersecurity rating report: https://www.rankiteo.com/company/invariant-labs-ai
Anysphere cybersecurity rating report: https://www.rankiteo.com/company/anysphereinc
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "NPMINVANYMIC1782858281",
"linkid": "npm-inc-, invariant-labs-ai, anysphereinc, microsoft",
"type": "Vulnerability",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using AI agents '
'with MCP-integrated tools',
'industry': 'Software, Cloud Computing, AI',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'},
{'industry': 'Cybersecurity',
'name': 'Invariant Labs',
'type': 'Security Research Firm'},
{'industry': 'Cybersecurity',
'name': 'Koi Security',
'type': 'Security Research Firm'}],
'attack_vector': 'Poisoned Tool Descriptions (Model Context Protocol - MCP)',
'customer_advisories': 'Users of AI-driven automation tools should verify '
'tool publishers, monitor agent activity, and report '
'suspicious behavior.',
'data_breach': {'data_exfiltration': 'Yes (data forwarded to external '
'servers)',
'personally_identifiable_information': 'Potential (depends on '
'data accessed by AI '
'agents)',
'sensitivity_of_data': 'High (PII, financial data, '
'credentials)',
'type_of_data_compromised': ['Unpaid invoices',
'SSH keys',
'Emails',
'Business data']},
'description': 'Microsoft’s Incident Response and Defender research teams '
'uncovered a stealthy attack vector targeting AI agents by '
'manipulating a tool’s description within the Model Context '
'Protocol (MCP). Attackers can silently exfiltrate sensitive '
'company data without triggering security alerts by altering '
'plain-text tool descriptions to include hidden instructions. '
'The attack exploits a trust gap in MCP, blending instructions '
'and data in the same space, making it difficult for agents to '
'distinguish between valid commands and malicious ones.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'AI-driven automation',
'data_compromised': 'Sensitive company data (e.g., unpaid '
'invoices, SSH keys, emails)',
'identity_theft_risk': 'High (if PII or credentials are '
'exfiltrated)',
'operational_impact': 'Unauthorized data access, potential '
'business process disruption',
'payment_information_risk': 'High (if financial data like invoices '
'are compromised)',
'systems_affected': 'AI agents, MCP-integrated tools, third-party '
'applications (e.g., npm packages)'},
'investigation_status': 'Ongoing (research and mitigation strategies '
'published)',
'lessons_learned': "AI agents' security depends on the integrity of the tools "
'they interact with. Tool descriptions in MCP must be '
'treated as part of the supply chain and reviewed for '
'malicious instructions. Traditional security measures may '
'fail to detect such attacks due to their stealthy nature.',
'motivation': 'Data Exfiltration, Espionage',
'post_incident_analysis': {'corrective_actions': 'Implement strict tool '
'access controls, human '
'approval for high-risk '
'actions, and enhanced '
'monitoring of AI agent '
'activity.',
'root_causes': 'Fundamental trust gap in MCP where '
'instructions and data are blended, '
'lack of tool description '
'validation, and over-reliance on '
'AI agent autonomy.'},
'recommendations': ['Restrict tool access to approved publishers and specific '
'functions.',
'Review tool descriptions like code changes, scanning for '
'unauthorized commands.',
'Require human approval for high-risk actions (e.g., data '
'sharing, financial transactions).',
'Monitor agent activity with dedicated identities, '
'logging actions and flagging anomalies.',
"Apply 'least agency' principles to limit an agent’s "
'autonomy and reduce potential damage.'],
'references': [{'source': 'Microsoft Incident Response and Defender Research'},
{'source': 'Invariant Labs (April 2025 PoC)'},
{'source': 'Koi Security (September 2025 - postmark-mcp npm '
'package)'},
{'source': 'MCPTox Benchmark (August 2025)'},
{'source': 'OWASP AI Top 10 (December 2025)'}],
'response': {'containment_measures': 'Restrict tool access to approved '
'publishers, review tool descriptions '
'for unauthorized commands',
'enhanced_monitoring': 'Monitor AI agent activity for anomalies',
'recovery_measures': 'Monitor agent activity with dedicated '
'identities, log actions, and flag '
'anomalies',
'remediation_measures': 'Require human approval for high-risk '
"actions, apply 'least agency' "
'principles'},
'stakeholder_advisories': 'Organizations using AI agents with MCP-integrated '
'tools should review tool descriptions, restrict '
'access, and implement monitoring.',
'title': 'Microsoft Warns of AI Agent Hijacking via Poisoned Tool '
'Descriptions',
'type': 'AI Agent Hijacking',
'vulnerability_exploited': 'Agentic Supply Chain Vulnerability (OWASP AI Top '
'10 - December 2025)'}