In this article
As enterprise deployments mature, some enterprise AI agents are moving from reading content to taking action. In this post, Microsoft Incident Response walks through an attack pattern that targets the fastest-growing part of the agent AI supply chain: Model Context Protocol (MCP) tools. The post provides a practical playbook for detecting, mitigating, and preventing these types of attacks using Microsoft security controls.
Table of Contents
From reading to acting
This is the third post in the AI Application Security series. The AI Applications Series 1: Security Considerations When Adopting AI Tools examined how AI adoption expands organizations’ attack surface. AI Application Series 2: Prompt Abuse Detection and Analysis in AI Tools demonstrated how indirect prompt injection can affect the output of a passive AI summarizer. In both cases, the AI simply read content and produced text, but did not take any action. This post is about what happens when that boundary changes.
AI agents can schedule multi-step tasks, decide which tools to invoke, and perform actions on behalf of the user. Microsoft 365 Copilot can design and send emails, create documents, and update calendar entries. With Copilot Studio and Azure AI Foundry, organizations can create custom agents that connect to business systems using MCP. As AI is increasingly used in read/write workflows, the impact profile of vulnerabilities may shift. An immediate injection against a summer can distort an output. An immediate injection against an active ingredient can trigger an action.
According to the International Data Corporation (IDC), the number of active AI agents in enterprises is expected to increase from 28.6 million in 2025 to over 2.2 billion in 2030. Because of this scale, the OWASP Top 10 for Agent Applications, published in December 2025, now stands alongside the LLM Top 10 as a reference framework for defenders. This post focuses on one of the fastest evolving categories: tool abuse and agent supply chain risks exploited through manipulated MCP tool metadata.
The following pattern corresponds to ASI02 – Tool Misuse and ASI04 – Agentic Supply Chain Vulnerabilities. It reflects techniques first published by Invariant Labs in April 2025 and observed in a growing number of corporate agents in 2026.
The environment
A financial operations team creates a Copilot Studio agent to help analysts process supplier invoices. The agent has generative orchestration enabled and connects to three tools: a Dataverse MCP server that stores the approved supplier base, an Outlook connector for supplier correspondence, and an added third-party invoice enrichment MCP server to validate banking data against an external reference database. The third-party server is reviewed and released for production use by the team’s service owner lead. No special security check is carried out.
Attack chain overview
Phase 1: Tool Description Poisoning. A developer pushes an update to the enrichment server. The name of the tool and the summary for the user remain unchanged, but the description of the MCP tool is silently changed. This description is the natural language metadata that the agent reads to decide how and when to invoke the tool. Hidden within seemingly legitimate formatting instructions is a hidden block of commands that instructs the agent to retrieve the last thirty unpaid invoices, summarize them, and append this summary as an additional parameter to the enrichment call – formulated as a fraud heuristic requirement.
Phase 2: Silent renewed trust,The MCP dynamically reflects tool metadata updates. In configurations where description changes do not trigger a re-approval workflow, the updated instructions take effect without additional review. The poisoned description is live in production.
Phase 3: User invocation. A financial analyst asks the agent a routine question about a supplier. Without any visible indication, the agent follows the hidden instructions contained in the description of the poisoned tool, collects sensitive financial data that goes beyond the scope of the original request, and passes it along as part of the enrichment call as if it were a normal part of the request.
Phase 4: Exfiltration. The enrichment server returns a plausible “validated” response and silently logs the attached invoice summary to an endpoint controlled by the threat actor. The analyst sees a clear answer. In standard configurations, an alert may not be triggered. Every single action the agent took was within its normal operating parameters. This pattern does not exploit a vulnerability in Copilot itself, but rather a trust boundary introduced by external tool integrations.
Figure 1: MCP tool poisoning attack flow of a Copilot Studio agent, with Microsoft controls associated with each phase.
Why this pattern is effective
Every single action the agent takes is legitimate. The tool is approved, the Dataverse query inherits the analyst’s permissions, and the outbound call goes to a server that was allowlisted when added. The vulnerability does not lie in a single system; it lies in the trust boundary between them,The MCP mixes instructions (tool descriptions) with data, so a change to a tool’s metadata can redirect the agent’s behavior as effectively as a change to its system prompt. The agent cannot distinguish between a legitimate instruction written by its owner and a malicious instruction inserted by an upstream maintainer.
Mitigation and protection guidelines
Detect and respond with Microsoft security tools
The controls shown in Figure 1 apply at four points in the attack chain, each supported by a specific Microsoft feature:
- Control the supply chain. Maintain a tenant-level allowlist of approved MCP publishers and servers. The Microsoft MCP catalog provides a list of first-party servers. Check and evaluate where the origin can be proven. Disable Allow everything on MCP connections and enable only the specific tools an agent needs.
- Check the tool metadata. Use Prompt Shields in Azure AI Content Safety to review the content that flows from MCP tool responses and descriptions into the agent context. Defender for Cloud AI workload protection warns about suspicious prompts and tool output at runtime. Review metadata changes to production tools with the same care as changes to system prompts.
- Monitor what is happening. Microsoft Purview Data Loss Prevention (DLP) policies examine tool invocation parameters and can block sensitive data in outbound payloads. For high-impact actions such as accessing financial data, external sharing, or account changes, configure human-in-the-loop approval through Copilot Studio. Assign each agent a non-human identity in the Microsoft Entra Agent ID and apply conditional access to their workload identity.
- Correlate the chain. When MCP server telemetry data is instrumented and forwarded to Microsoft Sentinel, it can be correlated with agent behavior signals to flag anomalous sequences. Microsoft Defender for Cloud Apps displays new external endpoints that an agent has started interacting with. Microsoft Purview audit logs provide the evidence trail for investigations and post-incident review.
Three principles for agent supply chain governance
Treat each MCP server as part of the supply chain. Each MCP server that an agent can call is a production dependency. Inventory approved publishers, review tool descriptions during security review rather than relying solely on tool names, and require documented ownership for each third-party server before production use.
Treat tool descriptions as system prompts. Because models can read tool metadata as part of their working context, changing this metadata is equivalent to changing agent instructions. Require change review for updates to tool descriptions for critical agents and use prompt shields to check metadata for mandatory language that does not belong in a documentation field.
Apply the least freedom of choice, not just the least privilege. There are important factors to consider when it comes to permissions. Even an agent with minimal privileges can cause harm if it has too much autonomy. Turn off Allow everything Tool access, require human consent for high-impact actions, and establish basic agent behavior in Microsoft Sentinel so that deviations from the norm – such as: New endpoints, advanced parameters, or unusual query patterns can trigger alerts.
Diploma
Agents acting on behalf of users rely on a supply chain of tools that grows as governance programs evolve. A threat actor who changes a tool description can impact agents that rely on it, even without directly involving a user, prompt, or credentials. The OWASP Top 10 for Agent Applications provides the framework.
Microsoft security features – including Copilot Studio guardrails, Prompt Shields, Defender for Cloud AI Protection, Microsoft Entra Agent ID, Microsoft Purview DLP, Microsoft Defender for Cloud Apps and Microsoft Sentinel – provide the controls. What remains is to consciously apply them to agent workflows: escalating permissions, governing the tool supply chain, monitoring agent behavior, and conducting red teaming exercises before deployment.
References
Microsoft follows coordinated disclosure practices and does not disclose details about a specific affected organization.
This research is provided by Mohammed Zaid, Microsoft Defender Security Research, and with contributions from Microsoft Threat Intelligence members.
Learn more
For the latest security research from the Microsoft Threat Intelligence community, visit the Microsoft Threat Intelligence blog.
To be notified of new releases and participate in social media discussions, follow us on LinkedIn, X (formerly Twitter) and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
View our documentation to learn more about our real-time protection features and how to enable them in your organization.
https://www.microsoft.com/en-us/security/blog/2026/06/30/securing-ai-agents-ai-tools-move-from-reading-acting/
