OfficeMCP — agentic threat model
OfficeMCP presents a high-risk profile due to its direct integration with Microsoft 365 via delegated OAuth, allowing natural-language execution of actions like sending emails, modifying calendars, and accessing OneDrive files, which makes it highly susceptible to indirect prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — OfficeMCP acts as an MCP server and does not specify its underlying foundation model. The primary threat is model reprogramming or jailbreaking via malicious emails or documents processed by the model.
Directly accesses OneDrive, SharePoint, and Mail. The primary threat is data exfiltration or knowledge-base poisoning where an attacker places a malicious file in SharePoint to hijack the agent's context during retrieval.
Exposes powerful tools for Mail, Calendar, and Teams. Insecure tool integration is a critical threat, as indirect prompt injections from incoming emails or chats can trigger unauthorized tool execution (e.g., sending emails or deleting files).
Operates as a remote MCP server. Threats include insecure storage of OAuth tokens, lack of transport layer security, and potential host compromise if the MCP server process is not properly sandboxed.
Not certain from the listing — there is no mention of built-in guardrails, logging, or transaction monitoring to detect anomalous Microsoft Graph API calls or prompt injection attempts.
Uses delegated OAuth to Microsoft Graph. While this limits actions to the user's scope, the lack of explicit human-in-the-loop (HITL) confirmation for sensitive actions (like sending emails or sharing files) poses a major compliance and security risk.
As an MCP server, it is designed to be called by other host agents. This introduces significant multi-agent trust abuse risks, where a compromised host agent can abuse OfficeMCP's delegated authority to exfiltrate enterprise data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).