AgentReadyHomeAgent Listing

← outlook-mcp

outlook-mcp — agentic threat model

9.3AIVSS 9.3 · Critical

outlook-mcp presents a high-risk profile due to its direct integration with Microsoft Graph API, enabling actions like sending emails and searching directories. Its primary vulnerability is indirect prompt injection, where malicious content in read emails can hijack the agent to leak data or send unauthorized messages.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.51Factor sum 3.9/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a foundation model, but it is designed to be called by one. The primary threat is indirect prompt injection where an LLM processing an email payload executes unauthorized tool calls.

L2 · Data Operations✓ mapped

The agent accesses highly sensitive data stores via the Microsoft Graph API, including user emails, contacts, and corporate directory search. Threats include data exfiltration of directory/contact data via prompt injection.

L3 · Agent Frameworks✓ mapped

As an MCP (Model Context Protocol) server, it integrates directly into agent frameworks. The primary threat is insecure tool integration and tool misuse, where the orchestrator fails to validate or restrict the parameters passed to the send/draft email tools.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server is unspecified, but it requires access tokens/secrets to authenticate with the Microsoft Graph API. Threats include credential theft of Graph API tokens and lack of network sandboxing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned logging, guardrails, or observability features. This creates a blind spot where unauthorized emails sent via prompt injection may go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance and authorization policies (like OAuth scopes) are handled externally. If the Graph API token has excessive permissions, the agent inherits them, violating the principle of least privilege.

L7 · Agent Ecosystem✓ mapped

The MCP server operates within an ecosystem where other agents or LLM clients can invoke its tools. A compromised or malicious orchestrator agent could abuse the Outlook tools to propagate spam, phishing, or exfiltrate directory data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).