Model Context Protocol (MCP) Tool Poisoning Hijacks AI Agents to Steal Data

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Attack Technique: Threat actors poison MCP tool descriptions to redirect AI agents into unauthorized actions.
  • Agent Redirection: Microsoft showed how an agent can exfiltrate data in response to a routine question.
  • Projected Scale: IDC projects active enterprise AI agents to grow from 28.6 million in 2025 to 2.2 billion by 2030.

Attackers can leverage Model Context Protocol (MCP) tool poisoning to turn trusted AI agents into a control plane for data loss. Microsoft Incident Response has published an analysis that examines how attackers manipulate tool metadata to trigger unauthorized actions.

How MCP Tool Poisoning Redirects AI Agents

The attack targets agents that act rather than just read, according to a new Microsoft report. In one example, a financial operations team builds a Copilot Studio agent to handle vendor invoices, connecting it to a Dataverse MCP server, an Outlook connector, and a third-party invoice enrichment MCP server. 

Because the AI agent reads tool descriptions to decide when to call a tool, altering that metadata can redirect its behavior as effectively as changing its system prompt.

Attack flow for MCP tool poisoning of a Copilot Studio agent | Source: Microsoft 
Attack flow for MCP tool poisoning of a Copilot Studio agent | Source: Microsoft 

The pattern unfolds in four stages:

Microsoft advises treating every MCP server as part of the supply chain, treating tool descriptions as system prompts, and applying least agency, not just least privilege.

Mitigation recommendations for AI agent hijacking include: 

In other recent news, a fake Perplexity AI Chromium extension hijacks browser search via typosquatted domains. A threat report last week said fake AI tools were used in 33,000+ attacks in 2025.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: