Skip to content
News Incident

Microsoft warns MCP tool descriptions can silently redirect AI agents to exfiltrate data

· by Pondero Newsdesk

The short version

Microsoft Incident Response and Defender Research published a joint warning June 30 showing how a poisoned MCP tool description can make Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry hand over sensitive data with no security alert fired.

Microsoft warns MCP tool descriptions can silently redirect AI agents to exfiltrate data

Microsoft Incident Response and Defender Research published a joint security advisory on June 30 showing how an attacker who can edit a single MCP tool description can steer an AI agent to copy sensitive company data to an external server, with no security alert fired and no visible change to the agent's behavior.

What happened

The advisory describes a structural weakness in how agents built on the Model Context Protocol read their instructions. Per the Microsoft Security Blog, an MCP tool description is plain text that the agent treats as authoritative guidance. Because MCP mixes those descriptions with live data in the same memory context, an attacker who modifies a tool's description can embed instructions alongside legitimate metadata. The agent has no reliable mechanism to distinguish the two.

Microsoft confirmed the affected products include Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry. The advisory walks through a lab demonstration using a fictitious payroll scenario: a third-party "invoice enrichment" tool, already approved by the security team, gets its description silently updated with a hidden instruction to collect and forward the last thirty unpaid invoices. When an analyst runs a routine supplier query, the agent executes the hidden instruction with the analyst's own permissions. The outbound data transfer registers as a normal API call. Nothing triggers an alert.

Microsoft notes that MCP servers can push description changes dynamically, meaning a poisoned version can go live in some configurations without any re-approval step.

Why it matters

The gap is not a bug in Copilot or Azure AI Foundry. It is a trust-boundary problem built into the MCP model: tool descriptions are treated as data rather than as code, which means they bypass the security review processes that would catch a malicious code change. Any organization that has deployed MCP-connected agents and allows third-party or externally maintained tools faces this exposure today, with no patch available.

The exfiltration method makes detection difficult. Each individual action the agent takes is legitimate on its own. The data query runs under user permissions. The destination server was approved when the tool was added. Only the tool description changed, and description changes are not currently audited by default in most MCP deployments.

Microsoft's mitigation advice centers on treating tool descriptions with the same review rigor applied to system prompts: audit every description in deployed MCP servers, maintain an approved-publisher allowlist, require human approval for any agent action that moves data outside the organization, and flag any description update for re-approval before the change goes live.

What to watch next

Microsoft has not announced a patch or a protocol-level fix. The advisory maps its own products (Prompt Shields, Purview DLP, Entra Agent ID, Defender for Cloud, Sentinel) to each mitigation step, but the core defense relies on operator-side policy rather than a platform update. Organizations running MCP-connected agents in Microsoft 365 Copilot or Azure AI Foundry should audit deployed tool descriptions now and confirm their tooling triggers re-approval on description changes. The MCP specification itself, maintained separately at modelcontextprotocol.io, has not yet addressed this class of attack at the protocol level.

Sources