Microsoft warns poisoned MCP tool descriptions can make AI agents leak data
Microsoft is warning that attackers can hijack AI agents through poisoned tool descriptions, the plain-text notes that tell an agent what a tool does. Because agents connect to systems through the Model Context Protocol and read these descriptions to decide how to act, an attacker who updates a trusted third-party tool can bury a hidden instruction in its description, telling the agent to quietly collect and exfiltrate data on its next task. Many setups pick up description changes without re-approval, so the poisoned version goes live silently. Each step the agent takes looks legitimate and runs with the user's own permissions, so no alarm fires.
- Check
- Inventory the MCP tools and servers your AI agents can use, especially third-party ones, and check whether your setup re-approves or reviews tool descriptions when they change rather than trusting updates automatically.
- Affected
- Organizations running AI agents connected to third-party MCP tools without re-approval on description changes; a poisoned description can redirect the agent to exfiltrate data using the user's own permissions, invisibly.
- Fix
- Require review when tool descriptions change, pin and verify tool sources, scope agents with least privilege, log every tool invocation at the infrastructure layer, and gate sensitive actions behind human approval.