Enterprise & Industry

Microsoft warns poisoned MCP tool descriptions can trick AI agents into data leaks

Attackers hide malicious instructions in tool metadata that approved AI agents trust and follow.

Deep Dive

Microsoft's June 30, 2026 guidance warns that AI agents using the Model Context Protocol (MCP) can be compromised by subtly altered tool descriptions. MCP connects AI systems to external tools like email, finance, and cloud resources, enabling agents to retrieve, modify, or send business data. Attackers can modify the natural-language metadata—the description that tells the model what a tool does—without changing the visible name or summary. The agent treats the poisoned description as a legitimate instruction and executes harmful actions, such as attaching sensitive invoice data to an enrichment call, appearing to complete tasks normally. This is a form of indirect prompt injection in the AI supply chain, similar to previously reported BioShocking attacks that trick browser agents into leaking credentials.

To defend against these attacks, Microsoft advises teams to first audit their MCP server inventory, disabling broad connections and enabling only specific tools per agent. Baseline tool descriptions, schemas, and permission sets at deployment, and treat any later modification as a review trigger. Implement data loss prevention policies for tool-call parameters, require human approval for high-impact actions, and monitor telemetry between MCP servers and agent behavior. Importantly, MCP annotations like readOnlyHint: true must be treated as untrusted unless verified; they should never replace access controls or sandboxing. As agents gain write and send capabilities, continuous verification of tool metadata becomes essential.

Key Points
  • MCP tool descriptions are natural-language metadata that guide AI agent tool selection, and attackers can modify them without changing visible names.
  • In a finance agent example, a poisoned description caused the agent to attach unpaid invoice data to an enrichment call, leaking data through an approved action.
  • Microsoft recommends baselining tool descriptions at deployment, treating annotations as untrusted, and using DLP policies for tool-call parameters to detect exploitation.

Why It Matters

As AI agents gain access to business systems, tool metadata becomes a critical security surface often overlooked.

📬 Get the top 10 AI stories daily