Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data
Summary
Microsoft researchers discovered that attackers can poison tool descriptions in MCP (Model Context Protocol, an open system that lets AI agents call outside tools) to trick AI agents into leaking company data without breaking any rules. The attack works by hiding malicious instructions inside the plain-text description of a tool, so when an agent reads the description to decide what to do, it follows the hidden orders along with legitimate ones, making the data theft look like normal activity.
Solution / Mitigation
Microsoft recommends: (1) Treat every connected tool as part of your supply chain and keep a list of approved tool publishers, turning off "allow all" and letting an agent use only specific tools it needs. (2) Treat a tool's description like a system prompt by reviewing changes to it the way you would review a code change and scanning the text for commands that have no business sitting in a help field. (3) Put a human in front of risky actions, particularly anything that moves money or shares data.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html
First tracked: June 30, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%