Malicious MCP Servers: A New Threat to Your Email Security – What to Know

If you use an AI assistant that can read your inbox, draft replies, or manage calendar invites, you are relying on something called a Model Context Protocol (MCP) server. These servers act as the bridge between an AI agent and the tools it controls—including your email account. And like any bridge, they can be crossed by attackers.

Recent disclosures of security flaws in MCP servers from Anthropic and Microsoft, combined with the emergence of “agentic viruses,” have made it clear that this is a growing supply chain risk for email security. Here is what is happening, why it matters, and what you can do about it.

What Are MCP Servers and Why Do They Matter for Email Security?

MCP is a protocol that lets AI agents (such as custom chatbots or productivity bots) access external tools and data. Instead of every developer building their own integration, MCP standardises how an agent calls an API, reads a file, or sends an email. An MCP server is the endpoint that handles those requests.

For email, this means an AI agent can be given permission to read messages, compose replies, and send on your behalf. That is convenient—but it also means that if the MCP server is compromised or malicious, an attacker can use it to intercept or manipulate your email traffic.

Recent Attacks and Vulnerabilities

In early 2026, researchers disclosed flaws in MCP servers from both Anthropic and Microsoft. These vulnerabilities could allow an attacker to execute arbitrary code or gain unauthorised access to the data the servers process. The details are technical, but the practical impact is straightforward: a malicious MCP server could read every email that passes through it, send fraudulent messages from your account, or alter the content of emails before you see them.

Separately, security researchers have demonstrated “agentic viruses”—malware that instructs an AI agent to carry out harmful actions. If your email agent is connected to an untrusted MCP server, it could be tricked into spreading the virus to your contacts or exfiltrating your sensitive conversations.

How Attackers Exploit This

The attack does not require the AI agent itself to be malicious. Instead, the attacker compromises the MCP server that the agent trusts. This can happen in several ways:

  • A third‑party MCP server you added to your agent is taken over or contains built‑in backdoors.
  • A malicious MCP server is advertised as a legitimate service (supply chain attack).
  • An attacker exploits a vulnerability in the server software itself, as in the Anthropic and Microsoft cases.

Once the server is under their control, attackers can read, send, or alter your emails without raising obvious red flags, because the AI agent is doing exactly what it was told to do.

Practical Steps to Protect Your Email

You do not need to abandon AI agents, but you should take precautions.

  1. Limit what your email agent can do. Grant only the permissions necessary. If your agent needs only to read calendar invites, do not give it access to send email. Review the scopes and permissions requested by any MCP server.

  2. Audit the MCP servers you use. Understand who runs each server, where its code is hosted, and whether it has been security‑reviewed. Avoid adding servers from unknown or unverified sources.

  3. Keep server software updated. If you run your own MCP server (for example, to connect a custom agent to your email), apply security patches promptly. The disclosed flaws in Anthropic and Microsoft servers were fixed quickly—update to the latest versions.

  4. Monitor your email agent’s behaviour. Unexpected outgoing messages, strange auto‑replies, or changes in email routing should be investigated. Many email providers offer logs of API access—review them periodically.

  5. Consider using a dedicated email account for any AI agent that has write access. That way, even if the agent is compromised, your primary inbox remains isolated.

  6. Question the urgency of agentic features. Do you really need an AI bot that can send emails entirely on its own? If not, disable that capability. The fewer actions the agent can take autonomously, the lower the risk.

The Bottom Line

MCP servers are still relatively new, and their security posture is evolving. The recent vulnerabilities prove that they are a viable attack surface for email compromise. As more products integrate AI agents with email, this supply chain threat will likely grow.

You do not have to stop using these tools, but you should treat them as you would any other critical third‑party service: vet them, limit their access, and watch for signs of misuse.

Sources

  • “Anthropic, Microsoft MCP Server Flaws Shine a Light on AI Security Risks” – Security Boulevard (January 2026)
  • “The Agentic Virus: How AI Agents Become Self‑Spreading Malware” – Security Boulevard (February 2026)
  • “Malicious MCP Servers & Email Security: The New Supply Chain Threat” – Security Boulevard (June 2026)