Microsoft — Seven New AI Agent Attack Vectors in Failure Taxonomy

AI relevance: Microsoft has formally expanded its AI agent failure taxonomy to include seven new attack vectors that target enterprise AI agent deployments — directly mapping to real-world risks in Copilot, MCP-connected tools, and agentic AI systems operating in organizational environments.

What Happened

• Microsoft published an update to its AI agent failure taxonomy, adding seven new critical vulnerability categories that map to how enterprise AI agents fail under adversarial conditions.
• Among the new vectors: MCP/Plugin Abuse — formally documenting the attack surface specific to the Model Context Protocol and its plugin ecosystem, validating the threat pattern seen in the postmark-mcp malicious MCP server incident.
• Session Context Contamination — an adversary introduces data that biases the agent's reasoning across subsequent steps without triggering security controls at any individual step. This is a gradual attack that evades threshold-based monitoring.
• The taxonomy update provides structured categories for AI security teams to map vulnerabilities against, covering the full lifecycle from prompt input through tool execution to output generation.
• The expansion reflects the maturation of AI agent security from theoretical research to operational security engineering — treating AI agents as enterprise systems with defined attack surfaces rather than black-box models.
• Cross-referenced with the growing body of MCP security frameworks, including IEEE Access research identifying 31 types of MCP attacks across four categories: Direct Tool Injection, Indirect Tool Injection, Malicious User Attacks, and LLM Inherent Attacks.

Why It Matters

Formal taxonomy is the first step toward systematic defense. By categorizing AI agent attack vectors, Microsoft gives security teams a structured vocabulary to audit agent deployments, write detection rules, and design controls. The inclusion of MCP/Plugin Abuse validates that the Model Context Protocol's rapid adoption has outpaced its security model — a theme echoed in multiple recent incidents including malicious MCP servers exfiltrating corporate email.

What to Do

• Map your existing AI agent deployments against Microsoft's taxonomy to identify which attack vectors apply to your infrastructure.
• For MCP-connected tools: implement tool-access auditing, validate MCP server provenance before installation, and monitor for anomalous tool-call patterns.
• Deploy session-level monitoring that looks for reasoning drift or context contamination, not just per-step security controls.
• Treat AI agents as enterprise systems with defined attack surfaces — not as magic black boxes that somehow handle security.

Sources

• ForgeNex — Microsoft expands AI agent failure taxonomy
• Check Point — AI Agents Are Becoming Enterprise Workers
• Panther — How to Secure an MCP Server
• Bishop Fox — Supply Chain Risks in MCP Servers