Microsoft has issued a warning about a new attack vector targeting AI agents that use the Model Context Protocol (MCP). Attackers can poison tool descriptions to hijack AI agents, causing them to exfiltrate sensitive data without breaking any rules. The attack exploits the trust boundary between AI agents and external tools, where instructions and data are mixed. Microsoft recommends treating tools as part of the supply chain, reviewing description changes like code changes, and implementing human approval for risky actions. The attack has been demonstrated in research and real-world incidents, including the postmark-mcp npm package.
CVEs: CVE-2026-20245
Companies: Microsoft, Invariant Labs, Koi Security
Products: Microsoft 365 Copilot, Copilot Studio, Azure AI Foundry, Prompt Shields, Purview DLP, Entra Agent ID, Defender for Cloud, Sentinel
Original source: thehackernews.com