AgentReadyHomeAgent Listing

← softeria/ms-365-mcp-server

softeria/ms-365-mcp-server — agentic threat model

9.5AIVSS 9.5 · Critical

The softeria/ms-365-mcp-server presents a high-risk profile due to its broad, write-capable access to sensitive Microsoft 365 data (Outlook, OneDrive, SharePoint) via the Graph API. Without robust external guardrails and strict OAuth scoping, it is highly vulnerable to prompt injection leading to data exfiltration or unauthorized actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.69Factor sum 5.2/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.00
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.80
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself is model-agnostic and does not bundle a specific foundation model. However, adversarial prompt injection on the consuming LLM could abuse the Graph API tools.

L2 · Data Operations✓ mapped

High risk of data exfiltration and context poisoning. The server accesses OneDrive, SharePoint, and Outlook, which contain sensitive organizational data or potentially malicious files/emails that can poison the agent's context.

L3 · Agent Frameworks✓ mapped

Insecure tool integration is a major threat. Broad Graph API scopes (read/write mail and files) allow an LLM to execute unintended actions (e.g., sending spam, deleting files) if tool calling is hijacked.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the MCP server and the storage of OAuth tokens/client secrets are critical but unspecified. Compromise of the hosting environment exposes M365 credentials.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or monitoring are mentioned. Without explicit auditing of Graph API calls, malicious actions may go undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

OAuth scoping and token management are central concerns. Over-privileged Graph API scopes (e.g., Mail.ReadWrite, Files.ReadWrite.All) present severe compliance and identity risks if not strictly limited.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — If integrated into a multi-agent system, a compromised secondary agent could exploit this server's M365 access to exfiltrate data laterally.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).