What happened
On June 30, 2026, Microsoft Incident Response published a detailed threat advisory on MCP tool poisoning — an attack where adversaries alter tool description metadata (not the tool code) to silently instruct an AI agent to perform unauthorized data collection or exfiltration. The post includes a worked finance-workflow scenario, detection logic, and prescriptive containment steps for Copilot Studio, Azure AI Foundry, and third-party MCP integrations.
Why it matters
This is the first major enterprise security vendor to formally operationalize MCP tool poisoning as a threat class with IR-grade detection and response guidance. It reframes tool descriptions as a live instruction surface that must be security-reviewed, shifting governance requirements for every MCP-connected enterprise agent deployment.
Applicability
Security architects and SOC teams deploying Copilot Studio, Azure AI Foundry, or any MCP-connected agent should review and implement the detection/containment guidance immediately.