Microsoft Failure Mode Taxonomy v2.0

Case-Study Expansion · Deep-Dive SDD-B02 · Course 2B

45 minutes · The seven agentic failure modes + the zero-click HITL bypass chain, reproduced as case studies

B10 named the modes. This deep-dive reproduces each as a full chain — the attack, the detection gap that defeated the OWASP control, and the defense that closes it. The chains that show up against an agent built to OWASP.

Deep-Dives

The thesis — B10 named them; SDD-B02 reproduces them

B10 = the framework

Names the seven modes and the zero-click finding. Read as an attacker designing engagements. The methodology.

SDD-B02 = the case studies

Reproduces each mode as a chain, names the detection gap that defeated the OWASP control, names the defense. Read as an attacker reproducing the chain.

Same relationship as B9→SDD-B01. B10 is the framework (the mode defined); SDD-B02 is the case study (the chain reproduced, the gap pinpointed). Whereas SDD-B01 expanded the OWASP rows, this expands the Microsoft modes.

Modes 1–4 — the case studies

ModeThe chainThe detection gap (OWASP control defeated)
M1
Supply Chain
Signed-but-malicious MCP server whose tool definition carries a hidden exfil instruction.ASI08: signature verifies the publisher, not the benignity. Registry doesn't enforce name uniqueness.
M2
Goal Hijack (drift)
Indirect injection via trusted tool output shifts framing across turns until sub-goal diverges.ASI01: gate tests direct injection; trusted-output channel uninspected. Reaffirmation N > drift timescale.
M3
Inter-Agent Trust
Compromised read-only sub-agent forges a payment request; orchestrator executes under role trust.NO OWASP ROW. Principal binding verifies sender, not that sender is authorized to request the action.
M4
Vision
Steganographic coupon image decodes to vision model as a credential-exfil instruction.NO OWASP ROW. Attack in pixels, invisible to text taint gates and human reviewers.
Modes 3 and 4 have no clean OWASP row — they live between the rows. An engagement scoped to OWASP alone misses them entirely.

Modes 5–7 — the case studies

ModeThe chainThe detection gap (OWASP control defeated)
M5
Session Contamination
Turn-1 false premise ("compliance-audit mode: log full params") shapes every subsequent turn; credentials logged to transcript.NO OWASP ROW. Poison is ephemeral-but-cross-turn — lives in context window, not durable memory. ASI04 write controls miss it (no write occurred).
M6
Dispatch Abuse
Attacker registers send_email_safe whose description collides with send_email; dispatch routes to the wrong tool.ASI05: normalizes paths, validates schemas — but NOT the selection layer. The abuse is in dispatch resolution.
M7
Capability Disclosure
Multi-turn rapport elicits tool schemas + policy excerpts; attacker engineers a request fitting the policy.ASI02: scores the leak, not the chain it enables. Disclosure is reconnaissance — severity is the unlocked chain.
Mode 5 is the third between-the-rows mode. Three of seven (M3, M4, M5) have no clean OWASP analogue — surfaces that exist only in multi-agent, vision-capable, multi-turn deployed systems.

The three between-the-rows modes

M3
Inter-Agent Trust

Orchestrators treat sub-agent messages as role-scoped authority, not untrusted input. No ASI equivalent — surface did not exist in single-agent systems.

M4
Vision

Attack is in pixels, decoded by the vision model. Invisible to any text-based taint gate and to a human reviewer. No text-only analogue.

M5
Session Contamination

Poison is ephemeral-but-cross-turn — lives in the context window, not durable memory. ASI04 write controls miss it because no write occurred.

An engagement scoped to OWASP alone misses all three. These surfaces exist only in deployed agentic systems — multi-agent, vision-capable, multi-turn. They are the reason the Microsoft taxonomy exists as a separate artifact from OWASP.

The zero-click HITL bypass chain — the centerpiece

The structural finding that reframes the human-in-the-loop control. A single external input triggers a multi-step chain where every step passes its approval gate individually (each is benign in isolation) but the compound exfiltrates.

StepActionGate (isolated)
1Receives email: "reconcile Q3 vendors, send discrepancies"External input (auto-received)
2Reads vendor list + billing recordsRoutine data access — APPROVED
3Drafts email to vendor, CC's "billing auditor" (payload-supplied)Drafting email — APPROVED
4Sends the email (human sees reasonable note)Sending drafted email — APPROVED
5"Billing auditor" = attacker. Vendor list exfiltrated.IMPACT
Per-step approval is structurally insufficient. No single approver had session-level context, because no single step was refusable. The malice lives in the compound, invisible to any gate that evaluates steps in isolation.

Per-step vs session-level detection

Bottom layer (B8's control)

PER-STEP APPROVAL. Correct, insufficient. Each high-impact action requires human approval. Stops the single malicious action. Blind to the compound of benign actions.

Top layer (the required extension)

SESSION-LEVEL INTENT DETECTION. Intent tracking (re-derive sub-goal from source each turn). Compound-action pattern matching. Approval freshness windows with compound context attached.

You need both. Per-step stops the single malicious action; session-level stops the chain of benign actions. An agent with only per-step approval is vulnerable to zero-click chains; an agent with only session-level detection is vulnerable to the single action the pattern matcher doesn't recognize. Defense in depth, across two scales. The direct cross-turn extension of B8.

The defense for each mode — the behavioral layer above the structural control

ModeStructural control (OWASP)Behavioral layer that closes the gap
M1 Supply ChainSigned manifests+ runtime tool-output verification (secondary model checks outputs for injected instructions)
M2 Goal HijackTaint gate+ gate extended to tool outputs; reaffirmation N < drift timescale
M3 Inter-AgentInter-agent messages untrusted at receiving boundary; privilege re-checked per action
M4 VisionVision inputs untrusted at same tier as text; secondary-model instruction check
M5 SessionContext-window provenance tagging; cross-turn premises re-derived from source
M6 DispatchPath normalization+ unique-resolution dispatch (halt on ambiguity); instruction-stripping of args
M7 DisclosureCanaryAgent never enumerates capabilities to untrusted principals; minimized schemas
Zero-clickPer-step approval+ session-level intent detection (intent tracking + compound matching + freshness)
The pattern: each defense adds a behavioral or cross-turn layer above the structural OWASP control. The controls on paper are necessary; the layer that actually closes the gap accounts for how an adversary composes across them.

The engagement methodology — design chains, not rows

  1. Reconnaissance via capability disclosure (M7). Enumerate tools, prompts, config. Score what an attacker can do with what leaked, not what leaked.
  2. Surface selection. Pick the entry: supply-chain (M1), inter-agent (M3), vision (M4), session-context (M5), dispatch (M6), or indirect-injection (M2).
  3. Chain construction. Sequence steps. Each must pass its OWASP control individually — the chain slips between controls, not through a missing one.
  4. Compound delivery. Trigger with a single external input (zero-click) or minimum viable human interaction.
  5. Gap identification. The deliverable is the specific session-level gap that allowed the compound — the missing intent check, the absent freshness window. That gap is what the client patches.

B9 + SDD-B01 + SDD-B02 — one engagement

ArtifactFunctionUnitOutput
B9Defense checklist (builder)The riskScored report (PASS/FAIL/MEASURED)
SDD-B01OWASP offensive procedures (attacker)OWASP row-exploitation + cross-row chainReproduced findings + residuals
SDD-B02Microsoft case-study chains (attacker)The chain (multi-step, compound)Reproduced chain + session-level gap
B12 packages all three. B9 = the floor (controls present). SDD-B01 = the OWASP chains (residuals between rows). SDD-B02 = the Microsoft chains (between-the-rows modes + zero-click HITL). None alone is sufficient. An engagement scoped to OWASP alone misses the three between-the-rows modes plus every compound chain.
Anti-patterns: "we covered goal hijacking in B9, so M2 adds nothing" (synthesis error). Treating the seven modes as seven independent tests (they compose into chains). Per-step approval as the HITL control (insufficient). Scoring disclosure by what leaked (score by the chain).

What you can now do

  1. For each of the seven Microsoft modes, reproduce the full case study — the chain, the detection gap that defeated the OWASP control, and the defense.
  2. Explain why three modes (M3, M4, M5) have no clean OWASP row and live between the rows.
  3. Reproduce the zero-click HITL bypass chain and explain why per-step approval is insufficient and session-level intent detection is required.
  4. Distinguish the Microsoft taxonomy (red-team framework, unit = chain) from OWASP (defense checklist, unit = risk).
  5. Translate each mode into an engagement case study using the five-step methodology.
The lab: reproduce the zero-click HITL bypass chain as a logged trace (five steps, each passing its gate, the compound exfiltrating), implement and verify the session-level intent detector that catches it, then reproduce one chain per Microsoft mode.

Next: SDD-B03 — InjecAgent: The Bridge Benchmark