Itdaily - Microsoft warns of fake MCP tool descriptions manipulating AI agents

Microsoft warns of fake MCP tool descriptions manipulating AI agents

Microsoft
Source: Microsoft

Microsoft has identified a new attack pattern on AI agents through the abuse of Model Context Protocol (MCP) tools.

Microsoft Incident Response is analyzing how attackers can exploit the AI supply chain by poisoning MCP tools. Specifically, attackers can manipulate the description of MCP tools to prompt AI agents to perform unwanted actions, such as leaking sensitive data.

According to IDC, the number of active AI agents in enterprises will grow from nearly 30 million in 2025 to over two billion by 2030. This makes supply chain security and continuous monitoring of integrations essential, especially now that the OWASP Top 10 for Agentic Applications serves as a new reference framework.

New attack pattern in AI agents

Microsoft describes an attack in which a Copilot Studio agent in a financial workflow is exploited via MCP tool poisoning. The attack occurs in four phases: first, the tool description is inconspicuously modified; then, a metadata change triggers the infected instructions without reassessment; subsequently, a user unknowingly calls the compromised tool, after which sensitive data is quietly forwarded to an external server.

What makes this attack unique is that each individual step appears legitimate. The vulnerability arises from the trust between approved tools and agents, rather than a flaw in Copilot itself. By manipulating tool metadata, an attacker can unnoticedly steer an agent’s behavior, posing risks for data leaks and unauthorized actions.

Security measures

Microsoft advises treating the entire MCP supply chain as a critical dependency. Organizations should maintain an approved list of MCP servers, thoroughly audit tool metadata, and implement human approval for high-risk actions. Tools such as Prompt Shields, Microsoft Purview DLP, and Defender for Cloud AI Protection can be deployed for inspection and detection of anomalous behavior.

The principle of ‘least agency’ must be applied: even an agent with minimal permissions can be dangerous if granted too much autonomy. Monitoring with Microsoft Sentinel and periodic reviews of agent behavior are essential to quickly detect deviations.