Back

Microsoft Identifies Zero-Click Attacks in Agentic AI Systems

Severity: High (Score: 71.0)

Sources: Feeds.4Sysops, Blogs.Microsoft, Gbhackers, Letsdatascience, www.microsoft.com

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: agentic, failure, modes, microsoft, taxonomy, systems, teaming

Summary

On June 4, 2026, Microsoft updated its taxonomy of failure modes in agentic AI systems based on a year of red teaming. The update revealed that zero-click attack chains can bypass human-in-the-loop (HitL) controls, leading to severe outcomes like data exfiltration. Seven new failure modes were introduced, including supply chain compromise and goal hijacking. The report emphasized that these attacks can initiate from a single external input without further human interaction. The findings indicate that traditional per-step approvals may not be sufficient to detect complex attack chains. Microsoft noted that the Model Context Protocol and open-source frameworks contributed to these vulnerabilities. The report highlights the need for enhanced session-level detection to combat these emerging threats. Key Points: • Zero-click attack chains can bypass human oversight, leading to data breaches. • Seven new failure modes were identified, including supply chain compromise and goal hijacking. • Session-level detection is essential to mitigate risks from complex attack chains.

Detailed Analysis

**Impact** Agentic AI systems across multiple sectors using open-source frameworks and the Model Context Protocol are affected globally, with over 2,100 agents identified within 48 hours of OpenClaw’s launch in January 2026. The attacks enable zero-click chains that bypass human-in-the-loop controls, leading to data exfiltration, lateral movement, and potential supply-chain compromise. High-impact outcomes include unauthorized access and manipulation of persistent memory, threatening operational integrity and sensitive data confidentiality. **Technical Details** Attack vectors include cross-domain prompt injection (XPIA), memory poisoning, session context contamination, and incremental escalation. The Model Context Protocol accumulated 99 CVEs in 2025, exploited in multi-step, zero-click attack chains that evade per-step detection. Tools referenced include open-source projects RAMPART and Clarity for testing agent architectures. Kill chain stages span initial access through XPIA, persistence via memory poisoning, and execution of chained actions across system boundaries. Indicators include unexpected plugin schema disclosures and unexplained memory writes influencing agent behavior. **Recommended Response** Defenders should implement session-level detection correlating memory state, session history, and tool schemas rather than relying solely on per-step intent classifiers. Apply supply-chain security measures such as SBOMs for agent components and cryptographic inter-agent identity verification. Harden consent architectures and monitor for anomalous multi-step sessions and capability disclosures. Deploy open-source testing tools like RAMPART and Clarity to integrate taxonomy-derived tests into CI/CD pipelines.

Source articles (6)

  • Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us — Blogs.Microsoft · 2026-06-04
    A surge in real-world attacks against agentic AI systems is reshaping how we think risk. Based on 12 months of red teaming, this update introduces seven new failure modes, from supply chain compromise…
  • Microsoft Updates Taxonomy of Agentic AI Failure Modes - Let's Data Science — Letsdatascience · 2026-06-04
    According to a Microsoft AI Red Team whitepaper published on Microsoft Security Blog, the team updated its operational taxonomy of failure modes in agentic AI systems after 12 months of red teaming. T…
  • Zero-Click Agentic AI Attack Bypasses Human Oversight — Gbhackers · 2026-06-05
    Taxonomy of Failure Modes in Agentic AI Systems v2.0 published in April 2026, the field received more than a classification update: it got operational guidance grounded in a year of real-world red tea…
  • Zero-Click Agentic AI Attack Bypasses Human Oversight | Let's Data Science — Letsdatascience · 2026-06-05
    The Microsoft AI Red Team's June 4, 2026 update to its "Taxonomy of Failure Modes in Agentic AI Systems" (v2.0) reports that zero-click attack chains can bypass human-in-the-loop (HitL) approvals end-…
  • Microsoft updates AI agent security taxonomy with seven new failure modes — Feeds.4Sysops · 2026-06-05
    Microsoft has released an updated framework for securing agentic AI systems based on a year of real-world red teaming. The revised taxonomy introduces seven new failure categories, including agentic s…
  • Microsoft AI Red Team published the Taxonomy of Failure Modes — www.microsoft.com · 2026-06-05

Timeline

  • 2025-04-01 — Initial taxonomy of failure modes released: Microsoft published the first version of its taxonomy for agentic AI systems, outlining initial failure modes.
  • 2026-06-04 — Taxonomy update published: Microsoft released an updated taxonomy after 12 months of red teaming, introducing seven new failure modes.
  • 2026-06-04 — Zero-click attack chains identified: The update revealed that zero-click attack chains can bypass human-in-the-loop controls, leading to significant data exfiltration risks.

CVEs

  • CVE-2026-4372

Related entities

  • Botnet (Attack Type)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • C0xmo (Malware)
  • Gafgyt (Malware)
  • SHub Stealer (Malware)
  • Reaper (Apt Group)
  • Linux (Platform)
  • MacOS (Platform)
  • Model Context Protocol (Platform)
  • OpenClaw (Platform)
  • Clarity (Tool)
  • Rampart (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed