Model Context Protocol (MCP) is an open standard introduced by Anthropic in late 2024 that allows artificial intelligence (AI) agents to connect to business systems in the same way that applications call application programming interfaces (APIs), using a common interface rather than custom-built connections for each tool, PYMNTS reported.
Before MCP, integrating AI models into a company’s internal software required bespoke engineering for each system. This protocol eliminates that friction and allows AI agents to operate directly within enterprise systems. International Data Corporation predicts that active AI agents within enterprises will grow from 28.6 million in 2025 to more than 2.2 billion by 2030. Each of these connections is made through a description that the agent trusts.
Microsoft Incident Response issued a warning that attackers could hide malicious instructions within the descriptions that MCP tools use to describe themselves to AI agents. Each tool includes a short text description that tells agents what the tool does. Agents read the instructions before acting. If the attacker modifies it to include hidden instructions, the agent will believe the instructions come from a trusted source and follow them.
Microsoft illustrated this attack with a financial scenario. The agent connects to a vendor invoice tool with a secretly modified description, collects the invoice file using the analyst’s own privileges, and returns a normal response while routing it to an external server.
Attackers can manipulate AI agents by changing the tool description
The problem is structural. Tool descriptions and user instructions share the same space in the agent’s working memory. Changing the description can control the agent’s behavior as effectively as rewriting the underlying instructions. Microsoft calls this the “trust boundary” problem. The agent cannot distinguish between legitimate commands from its owner and commands inserted by the person controlling the connected tool.
The attack has a proven track record. Security researchers at Invariant Labs demonstrated it in 2025, hiding instructions in the tool’s description to trick an AI coding assistant into sending private credentials to an external address, The Hacker News reported. In September, trusted software packages were updated with 15 clean releases to add hidden instructions to copy all emails sent by the AI agent to external addresses, The Hacker News added. As reported by PYMNTS, the Financial Stability Board recently warned that AI agents could create risks that materialize faster than human oversight can keep up.
Banks are facing MCP security issues within their own operations
Banks are moving to MCP faster than the security frameworks that govern it. For example, Moody’s introduced an MCP-based agent that reduced the time it takes to create a credit memo from 40 hours to 2 minutes, PYMNTS reported. Dun & Bradstreet connected its commercial risk database to Claude through MCP to automate customer and business validation.
Bank-wide MCP implementation is accelerating rapidly as well. As reported by PYMNTS, Taktile CEO Maik Taro Wehmeyer told PYMNTS CEO Karen Webster that 2026 is “the year that AI enters financial services,” as agencies begin automating commercial lending, insurance claims, and business underwriting. Each deployment connects an AI agent to a system that holds payment data, customer records, or regulatory documents, typically through an MCP.
The attack documented by Microsoft does not require a breach. You will need to access the tool description. Poisoned descriptions are executed using the agent’s own credentials through authorized channels during what appears to be routine work. This is exactly how banks have been told to think about agent governance. Hyperlayer CEO Rob Rooney told Webster that as AI agents begin to act on behalf of customers, banks need authorization, control, audit trails and data lineage that can operate at machine speed.
