On June 30, 2026, Microsoft warned of a new attack technique in which AI agents can be manipulated through instructions hidden in the descriptions of MCP (Model Context Protocol) tools, causing them to leak corporate data. This is not a software bug or a broken rule, but an exploitation of a design blind spot in which an LLM trusts tool metadata — a technique known as "Tool Poisoning."
June 30, 2026 · Microsoft Security
Poisoned by a Description: How AI Agents Can Be Tricked into Leaking Data
Microsoft warns that hidden instructions buried in an MCP tool's description — not a bug or a bad permission — can steer an AI agent into quietly exfiltrating sensitive corporate data while every single action looks legitimate.
Injection success rate — with and without defenses
No mitigations
Indirect prompt injection succeeds under standard conditions
With Spotlighting
Same attack, mitigations applied
Takeaway: the attack works more than half the time by default — but defenses cut it to near zero.
36.7%
of 7,000+ MCP servers examined
flagged for a possible SSRF vulnerability
30
unpaid invoices
silently summarized & sent out in the demo attack
ASI02/04
OWASP Agentic Top 10
Tool Misuse & Agentic Supply-Chain risk
How the attack unfolds
1 · Poison
Attacker edits a 3rd-party tool's hidden description via a server update — user-facing summary unchanged.
→
2 · Load
Agent always loads tool metadata into context and treats it as legitimate instructions.
→
3 · Exfiltrate
Agent gathers data and sends it out as parameters of a normal-looking tool call.
Why it's hard to catch — and the new mindset
Each individual action looks legitimate, descriptions aren't fully shown in the UI, and re-approval often fails when metadata is updated dynamically. The emerging consensus:
Treat descriptions like the system prompt
Govern the tool-chain supply chain
Not just least privilege — "least agency"
Microsoft's mitigations
Agent Governance Toolkit
Scans tool definitions for hidden instructions (Public Preview)
Work IQ MCP
Real-time evaluation before tool calls across Microsoft 365
Prompt Shields
Detects and blocks malicious prompts and context
Human-in-the-Loop
Inserts human approval for high-risk actions
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…