What happened
On June 30, 2026, Microsoft Incident Response published a detailed threat brief on MCP tool poisoning — where attackers embed hidden instructions in MCP tool descriptions to hijack enterprise AI agents (e.g., Copilot Studio, Azure AI Foundry) into silently exfiltrating data. The post specifies Azure AI Content Safety Prompt Shields as the recommended runtime defense and recommends treating MCP server metadata as untrusted input requiring security review. A companion June 26 post ('The state of MCP security in 2026') documented updated OAuth 2.1/PKCE authorization hardening and per-tenant rate limiting for the Prisma AIRS Scan API.
Why it matters
This is the first Microsoft Incident Response–tier advisory on MCP supply-chain risk, moving agentic AI security from theoretical to operationally urgent. It names specific Copilot Studio and Azure AI Foundry attack paths affecting enterprises already in production, and prescribes concrete tooling (Prompt Shields, Entra Agent ID) rather than generic guidance.
Applicability
Immediate action for any enterprise deploying Microsoft 365 Copilot, Copilot Studio, or Azure AI Foundry agents: audit MCP tool metadata, restrict 'Allow all' MCP permissions, enable Prompt Shields, and assign Entra Agent IDs.