EXPLOITATION OF MODEL CONTEXT PROTOCOL IN AGENTIC AI DEPLOYMENTS

MITRE Techniques

• [T1583.001 ] Acquire Infrastructure: Domains – Threat actors use infrastructure to host malicious MCP servers and endpoints for exfiltration (‘publish a server to these registries without identity verification’ and ‘attacker-controlled endpoint’).
• [T1195.001 ] Supply Chain Compromise: Compromise Software Dependencies and Packages – Malicious MCP packages and silent updates are used to gain trust and modify behavior (‘trusted package source’ and ‘silent update modified the tool’s email-sending behaviour’).
• [T1588.007 ] Obtain Capabilities: Artificial Intelligence – Adversaries leverage AI agent ecosystems and MCP-connected tooling to obtain offensive capability (‘malicious server submission’ and ‘agent operating through MCP’).
• [T1195.002 ] Supply Chain Compromise: Supply Chain Compromise – The attack path relies on compromised server definitions and registry-delivered malicious MCP servers (‘compromised provider publishes an MCP server’ and ‘malicious server submission’).
• [T1566.002 ] Phishing: Spearphishing Link – Social engineering can lure developers into connecting to malicious MCP servers (‘social engineering lure directing a developer to a malicious server definition’).
• [T1059.006 ] Command and Scripting Interpreter: Python – STDIO-based injection can execute Python-level commands via the official SDK path (‘STDIO transport passes configuration parameters directly to the host operating system shell’).
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – JavaScript-based host tooling and runtimes are among affected environments for command execution (‘affected production platforms included Cursor, VS Code, Windsurf’).
• [T1554 ] Compromise Host Software Binary – Rug pull style updates modify trusted server behavior after approval (‘post-approval modification’ and ‘tool definition changes after an agent has approved it’).
• [T1548 ] Abuse Elevation Control Mechanism – Attacks abuse agent trust and privileged execution context to escalate actions across integrated servers (‘the attacker controls an agent with access to all of those systems simultaneously’).
• [T1027 ] Obfuscated Files or Information – Malicious instructions are hidden inside tool metadata and descriptions (‘malicious instructions embedded in tool metadata’).
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Tool squatting and typosquat packages imitate legitimate sources (‘tool squatting, typosquat packages’).
• [T1078 ] Valid Accounts – Legitimate agent credentials are used to perform unauthorized actions (‘all tool calls execute under legitimate agent credentials’).
• [T1564.008 ] Hide Artifacts: Email Hiding Rules – Exfiltration is carried out through email workflows and hidden within normal mail activity (‘compose email messages to an external address’).
• [T1685 ] Disable or Modify Tools – Attacker-controlled servers can alter tool behavior and suppress audit visibility (‘suppress agent audit logging’).
• [T1685.002 ] Disable or Modify Tools: Disable or Modify Cloud Log – Cloud logging can be reduced or altered through compromised integrations (‘disable or modify cloud log’).
• [T1687 ] Exploitation for Defense Impairment – STDIO exploits can weaken host-level protections by gaining execution in the host process (‘command execution in the context of the host process’).
• [T1552.001 ] Unsecured Credentials: Credentials In Files – Tool poisoning targets SSH keys, cloud credentials, and env files (‘read SSH keys from ~/.ssh/id_rsa’ and ‘.aws/credentials’).
• [T1528 ] Steal Application Access Token – MCP gateway exposure leaks API keys, session tokens, and brokered credentials (‘complete credential sets, API keys, and conversation histories’).
• [T1083 ] File and Directory Discovery – Agents enumerate files and directories to locate sensitive data (‘enumerate accessible document collections’ and ‘read the contents of private repositories’).
• [T1526 ] Cloud Service Discovery – Agents identify cloud-connected resources and accessible collections (‘enumerate accessible document collections’).
• [T1550.001 ] Use Alternate Authentication Material: Application Access Token – Stolen tokens are reused to access other systems (‘retrieved storage token’ and ‘cloud storage authentication tokens’).
• [T1213 ] Data from Information Repositories – Attackers extract data from repositories, documents, and connected storage (‘exfiltrate private repository data’ and ‘retrieve their contents’).
• [T1114 ] Email Collection – Compromised agents access and send email content and attachments (’email MCP server’ and ‘compose email messages’).
• [T1567 ] Exfiltration Over Web Service – Data is sent to attacker-controlled URLs and external endpoints (‘POST the retrieved content to an external URL’).
• [T1102 ] Web Service – External web services are used as both payload delivery and exfiltration channels (‘legitimate cloud service endpoint used for both the tool’s real function and the attacker’s data receipt’).