Your AI Email Assistant Could Be a Security Risk: What to Know About the MCP Server Threat

If you use an AI assistant that reads or drafts your emails, you’re trusting it with one of your most sensitive accounts. That trust is being exploited in a new kind of supply chain attack—one that targets the Model Context Protocol (MCP) servers these tools rely on.

MCP is a protocol that allows AI agents to connect to external services, including email. It’s the mechanism that lets an AI assistant pull up your latest messages, summarise threads, or even send replies on your behalf. But when an attacker gains control of an MCP server, they can intercept those interactions, read your inbox, and impersonate you.

Here’s what the threat looks like and, more importantly, what you can do about it.

What happened

In June 2026, security researchers at Security Boulevard detailed a growing wave of malicious MCP servers targeting email accounts. The attack works by tricking users or their AI tools into connecting to a compromised MCP endpoint instead of a legitimate one. Once connected, the attacker can access the same email data the AI tool is permitted to see—no extra hacking required.

This builds on earlier research. In January 2026, both Anthropic and Microsoft disclosed flaws in their MCP server implementations that could allow attackers to inject malicious commands or steal authentication tokens. While those flaws have been patched, the underlying model—an AI assistant with broad access to email—remains a tempting target.

Why it matters for everyday users

The danger isn’t abstract. If an AI assistant has permission to read, draft, or send email, a compromised MCP server effectively gives an attacker the same powers. They can:

  • Read your private conversations, including password reset links or account recovery codes sent via email.
  • Send phishing messages from your address to your contacts, making them far more believable.
  • Silently forward copies of incoming emails to an external account.

Because the attack targets the infrastructure behind the AI tool—not your email account directly—normal security measures like strong passwords or two-factor authentication may not stop it. The attacker is acting through a legitimate app you authorised.

The supply chain angle is new for many people. Instead of breaking into your Google or Microsoft account, attackers are breaking into the service your AI assistant uses to talk to your email provider. If you authorised your AI tool to access email, you’ve already handed over the keys; the attacker just needs to steal the assistant’s credentials.

What you can do about it

You don’t need to stop using AI email tools, but you should treat them with the same caution you’d give any third-party app with access to your inbox. Here are practical steps:

Audit connected apps and permissions.
Go through your email provider’s security settings and review which apps have access to your account. Remove any you don’t recognise or no longer use. Look specifically for AI assistants or email tools you granted Gmail or Outlook permissions to. If you’re unsure whether a tool uses MCP, check its documentation or support site.

Use app-specific passwords where possible.
Some email providers let you generate a one-time password for each third-party app. This limits the damage if that app’s credentials are stolen. It’s not a perfect solution—the app can still misuse the password—but it contains the blast radius.

Enable two-factor authentication, but understand its limits.
Two-factor authentication protects your email account itself. It won’t stop a malicious app that you’ve already authorised. Still, it’s essential for preventing attackers from directly taking over your account if they somehow get your password.

Limit the AI tool’s access to email.
Many AI assistants let you choose which permissions they request. If possible, grant read-only access instead of read-write. Disable features like auto-sending or automatic reply features. The less power you give, the less an attacker can do if the MCP server is compromised.

Monitor your sent mail folder.
Check your sent items periodically for messages you didn’t write. Any unexpected outgoing email is a red flag. If you see one, revoke the app’s access immediately and change your email password.

Keep your AI tools and devices updated.
Security patches from companies like Anthropic and Microsoft address known flaws in MCP server implementations. Those patches won’t stop a future zero-day, but they close the doors that attackers are currently using.

If you suspect your email AI tool is compromised

Act quickly. Immediately revoke the tool’s access to your email account via your provider’s security settings. Change your email password, and sign out of all sessions. Run a security checkup (many providers offer an automated one). Alert your contacts that your account may have been used to send malicious messages. Finally, report the incident to the email provider and the AI tool’s developer. Security teams rely on user reports to spot larger campaigns.

Sources

  • Security Boulevard: “Malicious MCP Servers & Email Security: The New Supply Chain Threat” (June 2026)
  • Security Boulevard: “Anthropic, Microsoft MCP Server Flaws Shine a Light on AI Security Risks” (January 2026)

Tags: email security, AI threats, MCP servers, supply chain attack, online safety, phishing, account protection