Full Report
Cato Networks researchers demonstrated an attack leveraging Atlassian’s AI agent-enabling server
Analysis Summary
# Tool/Technique: Living off AI Attack (PoC exploiting Atlassian MCP)
## Overview
This refers to a proof-of-concept (PoC) attack demonstrating a new class of risk where threat actors can leverage vulnerabilities in how AI agents process untrusted input—specifically through prompt injection carried out via a malicious support ticket submitted to Jira Service Management (JSM). The attack vector abuses Atlassian's implementation of the Model Context Protocol (MCP) to force internal systems/users to execute unauthorized actions, a concept dubbed 'Living off AI'.
## Technical Details
- Type: Technique (Prompt Injection via AI Protocol Abuse)
- Platform: Environments utilizing the Model Context Protocol (MCP), demonstrated on Atlassian Jira Service Management (JSM).
- Capabilities: Gaining privileged access, executing malicious instructions, exfiltrating internal data, and altering internal system data without direct authentication to the core systems.
- First Seen: PoC demonstrated by Cato CTRL researchers and reported June 19, 2025 (based on the article date).
## MITRE ATT&CK Mapping
Since this involves leveraging an AI system's execution capabilities via manipulated input, the closest relevant tactic involves Initial Access or Execution through indirect means, and potentially Privilege Escalation or Defense Evasion based on the outcome. Given the mechanism focuses on abusing functionality:
- **TA0001 - Initial Access**
- T1566 - Phishing (If the ticket submission is considered the delivery mechanism)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Less applicable, as it's instruction-based)
- **TA0004 - Privilege Escalation** (If the manipulated execution grants higher access)
- *Specific technique mapping is difficult without deeper technical analysis of the exploit chain but relates to unauthorized command execution via the AI agent.*
## Functionality
### Core Capabilities
- **Prompt Injection Execution:** Sending crafted malicious instructions embedded within a support ticket submission targeting an AI agent operating through the MCP.
- **Proxy Execution:** Utilizing an internal support engineer (or the AI agent itself acting on their behalf) as an unwitting proxy to execute the malicious instructions.
- **Unauthorized Action:** Causing the AI agent to perform actions like data exfiltration or data alteration on internal systems.
### Advanced Features
- **Bypassing Authentication:** The attacker gains privileged access without needing to authenticate directly to the targeted system because the AI agent, operating within the trusted internal context, executes the command.
- **Abuse of Unchecked External Input Flows:** Exploiting the specific design pattern where external inputs flow into MCP servers without adequate sandboxing or validation.
## Indicators of Compromise
*Note: As this is a technique description validated by a PoC, specific forensic IOCs related to this public demonstration are not detailed in the provided text.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The attack utilized the existing JSM workflow, potentially involving internal network traffic related to the MCP host/server communication).
- Behavioral Indicators: Execution of remote MCP tool calls (e.g., `create`, `add`, or `edit`) initiated by an AI agent in response to external input originating from an untrusted source (like a support ticket payload).
## Associated Threat Actors
The PoC was demonstrated by researchers from **Cato Networks (Cato CTRL Threat Research team)**. The report warns that this pattern is applicable to any threat actor targeting environments using MCP architecture incorrectly.
## Detection Methods
- Signature-based detection: Not directly applicable to the input pattern, but signatures could be built around specific malicious MCP API calls.
- Behavioral detection: Monitoring for AI agents executing MCP tool calls (`create`, `add`, `edit`) that are unusual or originate from externally-triggered inputs (e.g., unauthorized ticket submissions).
- YARA rules: N/A
## Mitigation Strategies
- **Blocking Remote Tool Calls:** Create a security rule to block or alert on any remote MCP tool calls (e.g., `create`, `add`, `edit`) used by the AI agent structure, effectively enforcing least privilege on AI-driven actions.
- **Prompt Isolation and Context Control:** Implement robust validation, sandboxing, and context control mechanisms for any external input that flows into AI logic utilizing the MCP.
- **Auditing:** Maintain audit logs of all MCP activity across the network to detect suspicious prompt usage in real time.
## Related Tools/Techniques
- **Model Context Protocol (MCP):** The underlying standard (introduced by Anthropic) that Atlassian implemented, which formed the basis for potential exploitation.
- **Prompt Injection:** The fundamental class of attack leveraged against the LLM/AI infrastructure.
- **Vendor Bug Disclosure:** Related incident noted regarding Asana's MCP server bug exposing customer data.