HackMyIP
← Back to News
2026-06-30 The Hacker News

Microsoft: Poisoned MCP Tool Descriptions Can Hijack AI Agents

AI SecurityAI ThreatsSupply Chain

Microsoft Incident Response and its Defender security research team have published findings showing that AI agents running on the Model Context Protocol (MCP) can be hijacked through nothing more than a poisoned tool description. The attack turns Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry agents—tools that can send email, create files, modify calendars, and pull data from enterprise systems—into unwitting data exfiltration channels. MCP, which Microsoft describes as the fastest-growing component of the agentic AI supply chain, allows models to call external tools the way an application calls an API, making it a rapidly expanding attack surface for enterprises letting agents act on a user's behalf.

The technique exploits how MCP tools advertise themselves. Each tool ships with a plain-text description that tells the agent when and how to use it. An attacker who controls or compromises a third-party tool simply updates that description, embedding hidden instructions disguised as formatting notes or usage guidance. In a demonstrated invoice-processing scenario, a finance team connects an agent to three MCP tools, including an approved third-party 'invoice enrichment' service that never received a real security review. The attacker updates that tool—keeping the name and visible summary identical—and MCP picks up the new description on the fly, often without a re-approval trigger. When an analyst later asks a routine question about a supplier, the agent dutifully follows the hidden order, collects the last thirty unpaid invoices, and ships them off as part of a normal-looking outbound call to a server the attacker controls.

What makes the attack particularly dangerous is that no individual step looks malicious. The tool was on the approved list, the data query ran under the analyst's own identity and permissions, and the outbound connection went to a destination that was whitelisted when the tool was originally added. After the fact, a WHOIS lookup can help attribute the suspicious server, but by the time the connection logs are reviewed, the data is already gone. A targeted privacy checkup can also reveal how much metadata an agent's outbound calls leak through headers, timing, and referrer fields—clues that traditional monitoring often overlooks.

Defenders should treat every MCP tool description as untrusted input, enforce re-approval gates whenever descriptions change, and instrument outbound connections so that data flows triggered by LLM-decided actions are flagged separately from human-initiated ones. Enterprises deploying agents should also run a SSL/TLS checker against every endpoint their agents can reach and audit whether the certificates behind 'approved' services still match the original vendor. As agents take on more multi-step business workflows, the weakest link is increasingly the natural-language glue between the model and the tools it calls.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →