Prompt InjectionHigh

Microsoft Warns Poisoned MCP Tool Descriptions Are Being Used to Make Enterprise AI Agents Leak Data

Microsoft (Microsoft Incident Response guidance)

What Happened

Microsoft Incident Response published guidance that attackers are manipulating the natural-language descriptions of MCP tools, the metadata agents read to decide how to act, to smuggle in hidden instructions. Because MCP treats a description as effectively part of the agent's instructions and often picks up changes without re-approval, a poisoned description can silently redirect an agent to gather and forward sensitive records while each individual step looks normal. Microsoft noted the technique, first shown by Invariant Labs in April 2025, was being observed in 2026 against a growing range of enterprise agents.

Impact

The attack pattern lets adversaries exfiltrate data such as financial records through legitimate-looking agent activity that evades traditional alerts, exploiting the trust boundary where agents consume third-party tool metadata. Microsoft framed it as a systemic risk for organizations deploying agentic AI and MCP connectors.

How to Prevent This

  • Treat MCP tool descriptions as system-prompt-level instructions requiring change review
  • Maintain allowlists of approved MCP publishers and disable blanket 'allow all' tool access
  • Trigger re-approval whenever a tool's description or metadata changes before agents use it
  • Apply least agency: require human sign-off for high-impact agent actions and data egress
  • Baseline and monitor agent behavior to flag anomalous data collection and outbound requests

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment