What Happened
Microsoft Incident Response published guidance that attackers are manipulating the natural-language descriptions of MCP tools, the metadata agents read to decide how to act, to smuggle in hidden instructions. Because MCP treats a description as effectively part of the agent's instructions and often picks up changes without re-approval, a poisoned description can silently redirect an agent to gather and forward sensitive records while each individual step looks normal. Microsoft noted the technique, first shown by Invariant Labs in April 2025, was being observed in 2026 against a growing range of enterprise agents.
Impact
The attack pattern lets adversaries exfiltrate data such as financial records through legitimate-looking agent activity that evades traditional alerts, exploiting the trust boundary where agents consume third-party tool metadata. Microsoft framed it as a systemic risk for organizations deploying agentic AI and MCP connectors.
How to Prevent This
- Treat MCP tool descriptions as system-prompt-level instructions requiring change review
- Maintain allowlists of approved MCP publishers and disable blanket 'allow all' tool access
- Trigger re-approval whenever a tool's description or metadata changes before agents use it
- Apply least agency: require human sign-off for high-impact agent actions and data egress
- Baseline and monitor agent behavior to flag anomalous data collection and outbound requests