The Model Context Protocol, or MCP, is an open standard introduced by Anthropic in late 2024 that lets artificial intelligence (AI) agents connect to business systems the way applications call application programming interfaces (APIs) using a common interface instead a custom-built connection for each tool, PYMNTS reported.
Before MCP, integrating an AI model into a company’s internal software required bespoke engineering for every system. The protocol eliminated that friction, letting AI agents operate directly inside enterprise systems. The International Data Corporation projected that active AI agents in enterprises will grow from 28.6 million in 2025 to more than 2.2 billion by 2030. Each of those connections runs through a description the agent trusts.
Microsoft Incident Response published a warning that attackers can hide malicious instructions inside the descriptions MCP tools use to explain themselves to AI agents. Each tool includes a short text description telling the agent what the tool does. An agent reads that description before acting. If an attacker modifies it to include hidden instructions, the agent follows them, believing the order came from a source it trusts.
Microsoft illustrated the attack with a finance scenario: an agent connects to a vendor invoice tool whose description has been surreptitiously modified, collects invoice files using the analyst’s own permissions and routes them to an outside server, all while returning a normal-looking answer.
Attackers Can Steer AI Agents by Modifying Tool Descriptions
The problem is structural. Tool descriptions and user instructions share the same space inside an agent’s working memory. Changing a description steers the agent’s behavior as effectively as rewriting its underlying instructions. Microsoft called this a “trust boundary” problem: the agent cannot distinguish a legitimate instruction from its owner and one inserted by whoever controls a connected tool.
The attack has a track record. Security researchers at Invariant Labs demonstrated it in 2025, hiding instructions in a tool’s description to trick an AI coding assistant into sending private credentials to an external address, The Hacker News reported. In September, a software package trusted for 15 clean releases was updated with a hidden instruction that copied every email an AI agent sent to an outside address, The Hacker News added. The Financial Stability Board also warned recently that AI agents can create risks that materialize faster than human oversight can catch, PYMNTS reported.
Banks Face the MCP Security Problem Inside Their Own Operations
Banks have moved faster on MCP than the security frameworks governing it. For example, Moody’s deployed MCP-based agents that reduced credit memo preparation from 40 hours to two minutes, PYMNTS reported. Dun & Bradstreet connected its commercial risk database to Claude via MCP to automate customer and business verification.
MCP adoption across banking is accelerating just as quickly. Taktile CEO Maik Taro Wehmeyer told PYMNTS CEO Karen Webster that 2026 is “the year where AI will come to financial services,” with agents beginning to automate commercial lending, insurance claims and business underwriting, PYMNTS reported. Each deployment connects an AI agent to systems holding payment data, customer records or regulatory documentation and usually happens via MCP.
The attack Microsoft documented does not require a breach. It requires access to a tool description. A poisoned description executes using the agent’s own credentials, through an approved channel, at a moment that looks like routine work. That is precisely how banks have been told to think about agent governance. Rob Rooney, CEO of Hyperlayer, told Webster that as AI agents begin acting on behalf of customers, banks need approvals, controls, audit trails and data lineage capable of operating at machine speed.
