Protecting against indirect prompt injection attacks in MCP

Indirect Prompt Injection Attacks in MCP: An Indirect Prompt Injection vulnerability (cross-domain prompt injection or XPIA) targets generative AI systems by embedding malicious instructions in external content. This leads to misinterpretation of commands and unintended actions, such as data exfiltration or manipulation of user interactions.

Tool Poisoning: A subset of Indirect Prompt Injection attacks, Tool Poisoning involves embedding malicious instructions within the descriptions of MCP tools. This can manipulate the AI model into executing unintended tool calls, bypassing security controls.

Mitigation Strategies: To mitigate Indirect Prompt Injection attacks, two approaches are recommended: implementing AI Prompt Shields, which transform input text to make it more relevant to the model, and establishing robust supply chain security mechanisms to ensure the use of approved packages and applications.

AI Prompt Shields: AI Prompt Shields developed by Microsoft include Spotlighting to make input text more relevant to the model and Datamarking to highlight trusted and untrusted data boundaries. These shields help defend against both direct and indirect prompt injection attacks.

Supply Chain Security: Supply chain security in the AI era extends to verifying all components before integration, maintaining secure deployment pipelines, and implementing continuous application and security monitoring, including foundation models and context providers.

Returning to Security Fundamentals: Emphasizing the importance of security fundamentals in AI implementations, organizations should focus on existing security posture, application security principles, supply chain security, and security hygiene alongside Microsoft Azure AI Foundry platform protection for safe AI and AI agent usage.