Microsoft Warns Poisoned MCP Tool Descriptions Could Expose Enterprise Data Through AI Agents

Microsoft Warns Poisoned MCP Tool Descriptions Could Expose Enterprise Data Through AI Agents

Microsoft has published new security research warning that attackers can manipulate artificial intelligence agents into exposing sensitive enterprise information by modifying the descriptions of trusted tools connected through Model Context Protocol. According to Microsoft Incident Response and Microsoft Defender researchers, the technique allows malicious actors to influence AI agents into performing unauthorized actions without exploiting software vulnerabilities or violating existing security policies. Instead, attackers abuse trusted tool descriptions that AI agents rely on when determining how and when to execute tasks. Researchers said the attack demonstrates how organizations adopting autonomous artificial intelligence agents for business operations must also consider the security of connected tools that form part of the growing artificial intelligence supply chain.

Microsoft explained that the risk differs significantly from traditional prompt injection attacks that mainly affected text generation or document summarization. Modern AI agents integrated into Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry are capable of sending emails, creating documents, modifying calendars, and interacting directly with enterprise applications. These agents use Model Context Protocol, commonly known as MCP, to communicate with external tools in much the same way that applications interact with APIs. Each MCP tool contains a text based description explaining its purpose and appropriate use. According to Microsoft, this description becomes part of the agent’s decision making process, creating an opportunity for attackers to insert hidden instructions alongside legitimate information. Researchers illustrated the issue through a finance related example involving an invoice processing agent connected to multiple business tools, including a third party invoice enrichment service. In the demonstrated scenario, an attacker modifies only the hidden tool description while leaving the visible name and summary unchanged. The concealed instructions direct the agent to collect unpaid invoices and transmit them during a routine request. Because MCP can automatically recognize updated tool descriptions without requiring additional approval in some environments, the modified instructions become active immediately. When a finance employee later submits a legitimate request, the AI agent unknowingly follows the hidden instructions, gathers sensitive invoices using the employee’s own permissions, and sends the information to an attacker controlled server while returning a normal response to the user. Microsoft noted that each individual action appears legitimate because the connected tool is trusted, the user has authorization to access the data, and outbound communication occurs through an approved service.

Researchers stated that the underlying concern is not a flaw within Microsoft Copilot itself but rather the trust relationship created between AI agents and external tools. Because Model Context Protocol stores tool descriptions alongside operational instructions within the agent’s working context, malicious descriptions can influence decision making in the same manner as changes to a system prompt. Microsoft emphasized that AI agents cannot reliably distinguish between legitimate operational guidance and malicious instructions inserted by the maintainer of a connected tool. To reduce these risks, the company recommends that organizations treat connected MCP tools as part of their software supply chain by maintaining approved publisher lists, disabling unrestricted tool access, and allowing agents to use only the minimum number of required integrations. Microsoft also advises reviewing changes to tool descriptions with the same level of scrutiny applied to software code, placing human approval requirements on sensitive actions involving financial transactions, external data sharing, or account modifications, assigning unique identities to AI agents for monitoring purposes, and implementing logging capable of identifying unusual behavior such as unexpected external connections, large data transfers, or abnormal queries. Researchers also recommend applying the principle of least agency alongside least privilege so that AI agents perform only essential tasks even when operating with limited permissions.

Microsoft noted that similar attacks have already been demonstrated by independent researchers and security organizations over the past year. In April 2025, Invariant Labs introduced the concept of tool poisoning through a proof of concept showing how malicious instructions hidden within a calculator tool description could convince the Cursor code editor to access and transmit a user’s private SSH key. The same researchers later demonstrated another scenario in which a malicious GitHub issue manipulated an AI agent connected through a GitHub MCP server into exposing information stored within private repositories. These incidents have since been referenced by OWASP within its Top 10 for Agentic Applications under Agentic Supply Chain Vulnerabilities. Researchers also highlighted a real supply chain incident discovered by Koi Security in September 2025 involving a malicious npm package named postmark mcp. After publishing fifteen legitimate versions, version 1.0.16 secretly introduced functionality that copied every email sent by an AI agent to an attacker through a hidden blind carbon copy mechanism. Academic research has also demonstrated the effectiveness of tool poisoning. The MCPTox benchmark, released in August 2025, evaluated poisoned tool descriptions across forty five MCP servers and twenty leading artificial intelligence models, recording attack success rates of up to 72.8 percent while observing that most models failed to reject the malicious instructions. Microsoft said these findings reinforce the importance of securing AI tool integrations as organizations continue expanding the use of autonomous artificial intelligence systems within enterprise environments.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Post Comment