[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQo0-cNoP4rIveUTsnZ9ZC6C4bUT21xApo-gg5q6S9l4":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"743b501f-1ee4-407a-9f2e-f8e2f9150563","Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data","microsoft-warns-poisoned-mcp-tool-descriptions-can-make-ai-agents-leak-data-ce35f0","New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its","Microsoft research reveals a vulnerability where attackers can poison tool descriptions used by AI agents, causing them to exfiltrate company data without triggering alarms. This attack exploits the Model Context Protocol (MCP), allowing malicious instructions to be embedded within tool descriptions, which AI agents then execute as legitimate commands.","Microsoft warns AI agents can leak data via poisoned tool descriptions.","Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data Swati KhandelwalJun 30, 2026Artificial Intelligence \u002F Supply Chain Security New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its Defender security research team, and it lands as companies start letting AI do more than read and summarize. What changes when an agent can act Until recently, the workplace AI risk was mostly framed around what a model read and wrote. A poisoned document could skew an answer, and that was mostly where it ended. Agents are different. Microsoft 365 Copilot can send email, create files, and change calendars. Custom agents built in Copilot Studio or Azure AI Foundry can reach into business systems and run multi-step jobs on their own. The same injection trick that biases a summary now triggers an action. Against a reader, an attack changes the output. Against an agent, it changes what the software actually does. These agents reach business systems through MCP, the Model Context Protocol, an open protocol that lets an AI call outside tools the way an app calls an API. Microsoft calls it the fastest-growing part of the agentic AI supply chain, which makes it an expanding attack surface. How the attack works Every MCP tool ships with a description: a few lines of plain text that tell the agent what the tool does and when to use it. The agent reads that text to decide how to act. That is the whole weakness. The description is just words, and words can carry instructions. Microsoft walks through it with an invoice example, built to show the pattern rather than report a named victim. A finance team stands up an agent to handle vendor invoices. It connects to three tools, including a third-party \"invoice enrichment\" service that was approved for use but never given a real security review. Then the attacker updates that third-party tool. The name and the visible summary stay the same. Buried in the description, dressed up as formatting notes, is a hidden order: grab the last thirty unpaid invoices and attach them to the next call. MCP picks up description changes on the fly. In setups without a re-approval trigger, the poisoned version goes live with no extra review. After that, an analyst asks a routine question about a supplier. The agent follows the hidden order, collects the invoices and sends them along as part of a normal-looking request. The tool returns a clean answer and quietly copies the stolen data to a server the attacker controls. The analyst sees nothing wrong. Each move the agent makes is legitimate on its own. The tool was approved. The data query ran with the analyst's own permissions. The outbound call went to a server that was allowed when it was added. The weakness is not in any one system. It lives in what Microsoft calls \"the trust boundary between them.\" The deeper problem is that MCP mixes instructions and data in the same place. A tool's description lives in the agent's working memory right next to its real orders, so editing that description can steer the agent as effectively as rewriting its system prompt. The agent has no reliable way to tell an honest instruction from a malicious one slipped in by whoever maintains the tool. Microsoft notes this is not a bug in Copilot itself. It is a trust gap opened up by plugging in outside tools. What defenders should do Microsoft's advice, stripped to plain terms: Treat every connected tool as part of your supply chain. Keep a list of approved tool publishers, turn off \"allow all,\" and let an agent use only the specific tools it needs. Treat a tool's description like a system prompt. Review changes to it the way you would review a code change, and scan the text for commands that have no business sitting in a help field. Put a human in front of risky actions. Anything that moves money, shares data outside the company, or changes accounts should need a person to approve it. Give each agent its own identity and watch what it does. Log its actions, set a baseline for normal, and flag new endpoints, larger data pulls, or odd queries. Apply least agency, not just least privilege. Even a low-permission agent can do real harm if it is allowed to act without checks. Microsoft maps its own products to each step, including Prompt Shields, Purview DLP, Entra Agent ID, Defender for Cloud, and Sentinel, but the principles hold whatever stack you run. Not a theory: how we got here This class of attack has a paper trail. Invariant Labs named \"tool poisoning\" in April 2025, with a proof of concept that hid instructions in a calculator tool's description and got the Cursor editor to read a user's private SSH key and send it off. Developer Simon Willison dug into it days later. The same group later showed a related trick: a malicious GitHub issue could hijack an agent connected to the GitHub MCP server and walk data out of private repositories. The tools there were trusted and untouched; the bad instructions rode in on the data the agent read. OWASP now cites that case as an Agentic Supply Chain Vulnerabilities example in its December 2025 Top 10 for Agentic Applications. A related supply-chain failure has already happened in the wild. In September 2025, researchers at Koi Security found an npm package called postmark-mcp. It had mirrored a legitimate email tool for fifteen clean releases before version 1.0.16 slipped in one line that secretly BCC'd every email an agent sent to an attacker. Koi called it the first real-world malicious MCP server. Academics have started measuring the problem too. The MCPTox benchmark, released in August 2025, ran poisoned tool descriptions against 45 real MCP servers and 20 leading AI models. It found the attack widely effective, with a success rate as high as 72.8 percent, and the models almost never refused. The throughline is the one Microsoft is pressing now. AI that can act is only as trustworthy as the tools you let it touch, and right now those tools are easy to poison and hard to watch. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Agent, artificial intelligence, Copilot, data exfiltration, MCP Server, Microsoft, Model Context Protocol, Prompt Injection, Supply Chain Security ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Se","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmicrosoft-warns-poisoned-mcp-tool.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjbjfrraZ05p0kN5CedcQSOZYouoHGrdpCvi9TGxEZM_9zlXc_juWZ1F8VsvjV9c-iD7Ejgj0V6b0uYwOb9mLpb7ALcOVk53m2ppmg6mDI3qwANc8KZFMt3X7H7fT_Eym3OJijFmr0CZS6yJNTtf4kef0gOYtbx6A3LYa15PNzpzJuOg-nd6orLosZzfQ8\u002Fs1600\u002Fms-ai.jpg","2026-06-30T17:46:07+00:00","2026-06-30T20:00:26.938271+00:00",8,[18,21,23,25,28],{"name":19,"type":20},"Microsoft 365 Copilot","product",{"name":22,"type":20},"Copilot Studio",{"name":24,"type":20},"Azure AI Foundry",{"name":26,"type":27},"Model Context Protocol","technology",{"name":29,"type":30},"Microsoft","vendor","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":31,"icon":33,"name":34,"slug":35},null,"Supply Chain","supply-chain",[37,39,44,49],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":50},{"id":51,"icon":33,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]