
Microsoft warns that hidden instructions in MCP tool descriptions let attackers hijack AI agents in banking. Moody's cut credit memo time from 40 hours to two minutes — but security lags.
Microsoft Incident Response published a warning that attackers can hide malicious instructions inside the descriptions that AI agents use to understand their tools. The Model Context Protocol, or MCP, is an open standard from Anthropic that lets AI agents connect to business systems the way apps call APIs. Each tool in MCP includes a short text description. The agent reads that description before acting. If an attacker modifies the description to include hidden instructions, the agent follows them, believing the order came from a trusted source.
Microsoft illustrated the attack with a finance scenario: an agent connects to a vendor invoice tool whose description has been surreptitiously modified. The agent collects invoice files using the analyst's own permissions and routes them to an outside server, all while returning a normal-looking answer.
The problem is structural. Tool descriptions and user instructions share the same space inside an agent's working memory. Changing a description steers the agent's behavior as effectively as rewriting its underlying instructions. Microsoft called this a trust boundary problem: the agent cannot distinguish a legitimate instruction from its owner and one inserted by whoever controls a connected tool.
Security researchers at Invariant Labs demonstrated the attack in 2025. They hid instructions in a tool's description to trick an AI coding assistant into sending private credentials to an external address, The Hacker News reported. In September, a software package trusted for 15 clean releases was updated with a hidden instruction that copied every email an AI agent sent to an outside address, The Hacker News added.
The Financial Stability Board recently warned that AI agents create risks that materialize faster than human oversight can catch, PYMNTS reported. That warning lands as banks push MCP into production at speed.
Moody's deployed MCP-based agents that cut credit memo preparation from 40 hours to two minutes, PYMNTS reported. Dun & Bradstreet connected its commercial risk database to Claude via MCP to automate customer and business verification. The International Data Corporation projects active AI agents in enterprises will grow from 28.6 million in 2025 to more than 2.2 billion by 2030. Each of those connections runs through a description the agent trusts.
Taktile CEO Maik Taro Wehmeyer told PYMNTS CEO Karen Webster that 2026 is "the year where AI will come to financial services," with agents beginning to automate commercial lending, insurance claims and business underwriting. Each deployment connects an AI agent to systems holding payment data, customer records or regulatory documentation, usually via MCP.
The attack Microsoft documented does not require a breach. It requires access to a tool description. A poisoned description executes using the agent's own credentials, through an approved channel, at a moment that looks like routine work. That is precisely how banks have been told to think about agent governance.
Rob Rooney, CEO of Hyperlayer, told Webster that as AI agents begin acting on behalf of customers, banks need approvals, controls, audit trails and data lineage capable of operating at machine speed. The gap between adoption speed and security frameworks is wide. Moody's itself faces this question: the MCO stock page shows a 60 Alpha Score, labeled Moderate, suggesting the market has not yet priced in this operational risk. Microsoft's MSFT stock page carries a 55 Alpha Score, labeled Mixed, with shares flat on the day.
Banks are racing into AI faster than security can follow. The tool description attack is the opening shot. The next iteration will not need a description at all.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.