Microsoft researchers have identified a novel attack vector targeting AI agents through poisoned tool descriptions. Attackers can manipulate how AI agents understand available tools, tricking them into leaking sensitive company data without violating any explicit security rules.
The attack exploits a fundamental weakness in AI agent design. When an AI agent receives a tool description, it interprets that description to understand what the tool does and when to use it. An attacker can craft a malicious description that causes the agent to misuse legitimate tools in ways that appear routine to monitoring systems. The agent follows its instructions correctly but executes actions its human operators never intended.
The research comes from Microsoft Incident Response. The attack succeeds because it doesn't require the agent to break programmed restrictions. Instead, it manipulates the agent's understanding of what it should do. A poisoned description might reframe a data export tool as a "compliance check" or similar benign operation, causing the agent to execute it when it normally wouldn't.
This represents a significant threat to organizations deploying AI agents with access to sensitive systems. Most organizations focus security monitoring on detecting rule violations. This attack bypasses that approach entirely. An AI agent quietly handling data extraction based on a misleading tool description generates logs that look legitimate.
The risk applies broadly. Any organization using AI agents to interact with business systems faces exposure. The agent might have access to customer databases, financial records, intellectual property systems, or communication platforms. A single poisoned tool description could turn that access into a data exfiltration channel.
Defenders need to implement controls beyond rule enforcement. Input validation for tool descriptions, anomaly detection on agent behavior, and human oversight of agent actions become necessary. Organizations should audit their AI agent deployments and the tool descriptions those agents receive. Microsoft's research suggests that default configurations leave most deployments vulnerable.
