Microsoft's security team just published research showing how attackers can hijack AI agents connected via Model Context Protocol (MCP) using nothing more than a poisoned tool description. The agent reads a tool's description, treats the embedded instructions as legitimate, and quietly exfiltrates data as part of what looks like a routine enrichment call. Log entries look clean. That's what makes it so nefarious and why most of the commentary on this story is aimed at the wrong fix.
The instinctive response is to treat this as a prompt injection variant: add more filtering, better classifiers, a "does this look suspicious" layer sitting between the agent and the tool call. That's the same move the industry has been making for three years, and it keeps producing the same result - a probabilistic defense against a deterministic attack. You cannot reliably distinguish a legitimate enrichment instruction from a malicious one by reading English. Attackers know this, which is exactly why the description itself has become the payload.
Agent tools and code should be cryptographically signed, like you would any critical piece of infrastructure or code. Most agents today are treating third-party tool descriptions as trusted configuration when they should be treated as untrusted, attacker-controlled input. Any deterministic code should be validated and digitally signed before it's executed.
The actual failure here isn't semantic, it's architectural: we solved a nearly identical problem in web applications two decades ago. Nobody stops SQL injection by getting better at detecting suspicious strings in a query - they stop it by using parameterized queries, so the database never interprets user input as executable structure in the first place. The fix wasn't smarter filtering. It was removing the trust decision from the interpretation layer entirely.
Agentic AI needs the same move. A tool's description shouldn't earn any authority over what an agent does just because it arrived over MCP looking like normal metadata. Authority should come from a cryptographic signature the agent can verify before it ever "reads" what the tool claims to do. Reject anything unsigned or tampered at the runtime level, full stop, regardless of how reasonable the embedded instructions sound. That provides a structural guarantee, not a judgment call, and it's the difference between an agent that occasionally gets fooled by clever wording and one that's mathematically incapable of executing a tool it can't verify.
For anyone deploying agents in finance, healthcare, or government right now, this Microsoft research is worth reading not as a one-off vulnerability disclosure but as validation of a design principle: if your agent security model still just routes through "does this text look okay," you've already lost the architecture battle. Even if this specific exploit gets patched, the next poisoned description is already being written.
NuDay Platform enforces tool authenticity with a signed tool registry, rejecting unsigned or tampered calls at the runtime level. See how it works or request a demo.
Sources: Microsoft Security Blog, "Securing AI agents: When AI tools move from reading to acting" · The Hacker News, "Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data"