Model Context Protocol (MCP) Tool Poisoning Hijacks AI Agents to Steal Data
- Attack Technique: Threat actors poison MCP tool descriptions to redirect AI agents into unauthorized actions.
- Agent Redirection: Microsoft showed how an agent can exfiltrate data in response to a routine question.
- Projected Scale: IDC projects active enterprise AI agents to grow from 28.6 million in 2025 to 2.2 billion by 2030.
Attackers can leverage Model Context Protocol (MCP) tool poisoning to turn trusted AI agents into a control plane for data loss. Microsoft Incident Response has published an analysis that examines how attackers manipulate tool metadata to trigger unauthorized actions.
How MCP Tool Poisoning Redirects AI Agents
The attack targets agents that act rather than just read, according to a new Microsoft report. In one example, a financial operations team builds a Copilot Studio agent to handle vendor invoices, connecting it to a Dataverse MCP server, an Outlook connector, and a third-party invoice enrichment MCP server.
Because the AI agent reads tool descriptions to decide when to call a tool, altering that metadata can redirect its behavior as effectively as changing its system prompt.
The pattern unfolds in four stages:
- In tool description poisoning, a developer silently modifies the enrichment server's description, hiding instructions to collect unpaid invoices.
- During silent re-trust, the updated metadata goes live without re-approval.
- At user invocation, an analyst asks a routine question, and the agent follows the hidden instructions.
- Finally, in exfiltration, the enrichment server logs the attached invoice summary to an attacker-controlled endpoint while the analyst sees a clean answer.
Microsoft's Recommended Mitigations
Microsoft advises treating every MCP server as part of the supply chain, treating tool descriptions as system prompts, and applying least agency, not just least privilege.
Mitigation recommendations for AI agent hijacking include:
- Govern the supply chain.
- Inspect tool metadata.
- Guard the action.
- Correlate the chain.
In other recent news, a fake Perplexity AI Chromium extension hijacks browser search via typosquatted domains. A threat report last week said fake AI tools were used in 33,000+ attacks in 2025.






