New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider.
The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire.
The work comes from Microsoft Incident Response and its Defender security research team, and it lands as companies start letting AI do more than read and summarize.
What changes when an agent can act
Until recently, the workplace AI risk was mostly framed around what a model read and wrote. A poisoned document could skew an answer, and that was mostly where it ended.













