MCP Tool Poisoning Threatens Enterprise AI Agent Security

A new attack vector emerges as AI agents gain autonomy

As enterprise AI systems evolve from passive summarizers to active agents that execute tasks, a critical vulnerability has surfaced in the Model Context Protocol (MCP) infrastructure that connects these agents to business tools. Microsoft Incident Response has detailed an attack pattern that exploits the trust boundary between AI agents and the external tools they invoke—a threat that could affect millions of deployments as agentic AI scales across organizations.

According to the International Data Corporation, active AI agents in enterprises are projected to surge from 28.6 million in 2025 to more than 2.2 billion by 2030. This explosive growth has prompted OWASP to release a dedicated Top 10 for Agentic Applications in December 2025, addressing risks distinct from traditional large language model vulnerabilities.

How MCP tool poisoning works

The attack exploits how AI agents read natural-language metadata to decide which tools to call and how to use them. In a scenario Microsoft outlined involving a financial operations workflow, an attacker modifies the description field of an approved MCP server—the text the agent reads to understand a tool's purpose.

The poisoned description embeds hidden instructions directing the agent to collect sensitive data beyond the user's request and transmit it as part of what appears to be a legitimate API call. Because each individual action falls within the agent's normal permissions, no single security control flags the behavior as suspicious.

Crucially, this attack doesn't require compromising user credentials or exploiting a software vulnerability. It manipulates the instruction layer that guides agent behavior, turning approved tools into exfiltration channels. When MCP servers update tool metadata dynamically without triggering re-approval workflows, poisoned descriptions can go live in production environments without security review.

Why it matters

This attack pattern represents a fundamental shift in enterprise security posture. Traditional defenses focus on preventing unauthorized access or detecting malicious code. But when AI agents can autonomously invoke tools and execute multi-step workflows, the attack surface extends to the metadata that shapes agent decision-making. A compromised tool description functions like a compromised system prompt—redirecting behavior without touching the underlying application code. As organizations deploy agents with write access to email, documents, financial systems, and customer databases, the impact of such manipulation scales accordingly.

Microsoft's defense framework

Microsoft recommends a four-layer control strategy, according to the blog post first reported by the company's Incident Response team:

Supply chain governance: Maintain tenant-level allowlists of approved MCP publishers and servers. Disable blanket tool access and enable only specific, vetted integrations. The Microsoft MCP catalog provides verified first-party servers as a baseline.

Metadata inspection: Deploy Prompt Shields in Azure AI Content Safety to scan tool descriptions and responses for embedded instructions. Microsoft Defender for Cloud's AI workload protection monitors for suspicious prompts and outputs at runtime.

Action controls: Use Microsoft Purview Data Loss Prevention policies to inspect and block sensitive data in tool call parameters. For high-risk actions, require human-in-the-loop approval through Copilot Studio. Assign agents non-human identities via Microsoft Entra Agent ID and apply Conditional Access policies to their workload identities.

Behavioral correlation: Forward MCP server telemetry to Microsoft Sentinel to detect anomalous agent behavior patterns. Microsoft Defender for Cloud Apps flags when agents begin interacting with new external endpoints.

Applying least agency

Microsoft emphasizes that securing agentic AI requires more than traditional least-privilege access controls. Organizations must also implement "least agency"—limiting not just what permissions an agent holds, but how much autonomy it exercises. Even minimally permissioned agents can cause harm if they operate without appropriate guardrails on tool invocation and action execution.

The attack pattern reflects techniques first disclosed by Invariant Labs in April 2025 and observed against enterprise agents in 2026, according to Microsoft. The company follows coordinated disclosure practices and did not identify specific affected organizations.

This research was provided by Microsoft Defender Security Research and Mohammed Zaid, with contributions from Microsoft Threat Intelligence team members, as detailed in the original Microsoft Security Blog post.