Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk. Stop me if you've heard this one before:
- A threat actor (acting as an external user) submits a malicious support ticket.
- An internal user, linked to a tenant, invokes an MCP-connected AI action.
- A prompt injection payload in the malicious support ticket is executed with internal privileges.
- Data is exfiltrated to the threat actor’s ticket or altered within the internal system.
It's the classic lethal trifecta exfiltration attack, this time against Atlassian's new MCP server, which they describe like this:
With our Remote MCP Server, you can summarize work, create issues or pages, and perform multi-step actions, all while keeping data secure and within permissioned boundaries.
That's a single MCP that can access private data, consume untrusted data (from public issues) and communicate externally (by posting replies to those public issues). Classic trifecta.
It's not clear to me if Atlassian have responded to this report with any form of a fix. It's hard to know what they can fix here - any MCP that combines the three trifecta ingredients is insecure by design.
My recommendation would be to shut down any potential exfiltration vectors - in this case that would mean preventing the MCP from posting replies that could be visible to an attacker without at least gaining human-in-the-loop confirmation first.
Recent articles
- Trying out the new Gemini 2.5 model family - 17th June 2025
- The lethal trifecta for AI agents: private data, untrusted content, and external communication - 16th June 2025
- An Introduction to Google’s Approach to AI Agent Security - 15th June 2025