The rule was never broken

On 30 June 2026 Microsoft's security team published a warning about the tools your AI agents connect to. The problem is not a virus or an unpatched flaw. It is the short, plain-language description that ships with every tool to tell the agent what the tool does and when to use it. An agent reads that text and trusts it. If an attacker edits it, the agent follows the edit.

Microsoft's example is deliberately mundane. A finance agent is asked to gather the last thirty unpaid invoices and send them to a server. Every individual step looks legitimate, so nothing trips an alarm. The agent is not hacked. It is instructed, in a place no one thought to guard.

It has already happened

This is not a lab scenario. In September 2025 researchers found an npm package called postmark-mcp that had mirrored a legitimate email tool through fifteen clean releases. Version 1.0.16 slipped in a single line that secretly copied every email the agent sent to an outside address. Teams that had approved the tool months earlier were exposed the moment they updated.

The reason this class of attack keeps working is that most controls watch the model, not the toolbox. A prompt filter reads what the user types. It does not re-read the description of a tool the agent has trusted for six months, which is exactly where the instruction now hides.

Treat your tools as a supply chain

Microsoft's own guidance is the right frame for an owner. Every connected tool is part of your supply chain. Keep a list of approved tool publishers, turn off allow all, and let each agent use only the specific tools it needs. Treat a tool's description like a system prompt, review any change to it the way you would review a code change, and flag commands that have no business sitting in a help field.

None of that requires a new product. It requires knowing what your agents are connected to, who wrote it, and what changed since you approved it. Most firms rolling out agents in finance, procurement and support cannot answer those three questions today, which is the real exposure.