Microsoft Failure Mode Taxonomy as Red Team Framework
Module B10 · Course 2B — Securing & Attacking Harnesses and LLMs
45 minutes · B9 gave you the defense checklist. This is the offense playbook — how agentic systems actually fail in production, distilled from twelve months of deployed red teaming.
Where OWASP tells you what to defend, this taxonomy tells you how attackers chain. The most important finding: zero-click chains bypass human-in-the-loop approvals end-to-end.
Pillar 4 — Frameworks & Governance
The thesis: two functions, not two lists
OWASP ASI (B9) and the Microsoft Taxonomy v2.0 (B10) look like they overlap — Goal Hijacking appears in both. The overlap is at the named-risk level. The artifact is different.
OWASP ASI — B9
Defense checklist. Read as a builder. Unit = the risk (one row, one control, one test). Question: what do I defend?
Microsoft Taxonomy — B10
Red-team framework. Read as an attacker. Unit = the chain (multi-step, compound intent). Question: how do systems actually fail?
The synthesis error: "we covered goal hijacking in B9, so B10 adds nothing." OWASP's ASI01 says build a taint gate. The Microsoft entry says here is the drift chain that defeats your taint gate across turns. Same name, different artifact.
B10.1 — The seven new agentic failure modes
Patterns observed across 12 months of deployed red teaming — each maps imperfectly to OWASP
The seven modes (and where they diverge from OWASP)
1 Agentic Supply Chain — the entire tool-registration layer IS the supply chain (≈ ASI08)
2 Goal Hijacking — drift across turns, not single-shot (≈ ASI01)
3 Inter-Agent Trust Escalation — sub-agent forges msgs to orchestrator (≈ ASI07/10)
4 Computer-Use Visual Attacks — steganographic content via vision (≈ ASI07, new modality)
5 Session Context Contamination — cross-turn context poisoning (≈ ASI04/06)
6 MCP / Plugin Abuse — dispatch-layer exploitation (≈ ASI05)
7 Capability Disclosure — agent leaks its toolset/prompt; scored by the chain it enables, not the leak (≈ ASI02)
The "≈" annotations are overlaps, not equivalences. The divergence is the value: each mode names the chain that defeats the OWASP control in production.
Three modes that have no clean OWASP row
| Mode | Why OWASP alone misses it |
| 3 · Inter-Agent Trust Escalation | Orchestrators treat sub-agent messages as role-scoped authority, not untrusted input. Neither ASI07 nor ASI10 captures this — it didn't exist in single-agent systems. |
| 4 · Computer-Use Visual Attacks | A vision modality with no text-only analogue. A human sees "20% OFF"; the vision model decodes an instruction. Invisible to any text-based taint gate. |
| 5 · Session Context Contamination | Ephemeral but cross-turn. Lives in the context window, not durable memory — so ASI04's memory-write controls don't catch it. Most harnesses have no control for it. |
These three live between the rows of OWASP, not on a row. An engagement scoped to B9 alone misses all three.
B10.2 — The zero-click HITL bypass chain
The centerpiece finding — per-step approval is necessary and insufficient
The finding that reframes HITL
Zero-click attack chains bypass human-in-the-loop approvals end-to-end. A single external input triggers a multi-step chain. Every step passes its approval gate — because every step is benign in isolation. The malice lives in the compound, not in any step.
The five-step chain:
1. External email: "reconcile Q3 vendors vs billing, send discrepancies"
2. Read vendor list + billing records — APPROVED (routine access)
3. Find engineered "discrepancy"; draft email CC'ing "billing-auditor" — APPROVED (drafting)
4. Send the email — APPROVED (routine send; human sees a reasonable note)
5. Vendor list + billing details exfiltrated to the attacker. Impact.
Why per-step approval is structurally insufficient
Each approval, in isolation, was correct. The human who approved step 4 saw a reasonable billing email. They did not see step 1's injected payload, step 3's engineered discrepancy, or the compound — that the four prior steps compose to exfiltrate the vendor list.
No single approver had the session-level context to refuse, because no single step was refusable. Per-step approval is the right control for a single malicious action. It is the wrong control for a chain of individually-benign actions whose composition is malicious.
The required control: session-level intent detection. Track the goal across the session. Evaluate each step as part of the compound. Halt when the compound diverges from user intent or matches an exfiltration / escalation / lateral pattern. This sits above per-step approval, not instead of it.
Session-level intent detection — three mechanisms
| Mechanism | What it does |
| Intent tracking | Record the user's original goal; re-derive the agent's sub-goal each turn from source, not from the accumulating (possibly contaminated) context |
| Compound-action detection | Evaluate each new action as the next element of the session's sequence; flag sequences matching exfil / escalation / lateral shapes |
| Approval freshness windows | Approval valid for a bounded window + scope; out-of-window re-triggers approval with the compound context attached |
The direct line to B8. B8's observability layer is the substrate; per-turn reasoning-chain detection is the bottom layer. The session-level detector is the cross-turn extension the zero-click finding forces into existence. If your B8 is per-turn only, this is why you extend it.
B10.3 — Complementarity & engagement methodology
How OWASP (B9) and this taxonomy (B10) compose into the B12 service
The engagement designs chains, not rows
- Reconnaissance via capability disclosure (Mode 7) — enumerate the agent's actual tools and config
- Surface selection — supply chain, inter-agent, vision, session-context, dispatch, or indirect injection
- Chain construction — each step must pass its OWASP control individually; the malice lives in the compound
- Compound delivery — trigger via a single external input (zero-click)
- Gap identification — the deliverable is the session-level gap the client patches
Neither alone is sufficient. B9 alone misses every failure between the rows. B10 alone misses the missing taint gate, the absent canary, the unscoped credential. B12 packages both as one engagement.
Lab & what's next
Lab (07): design a multi-step zero-click HITL bypass chain against a sample agent — five or more steps, each benign-looking, compound malicious. Run it as a logged trace. Then implement the session-level intent detector that catches it.
Next — B11: Governance and Compliance. The NIST AI RMF, the AI BOM, the audit-trail requirements. B9 is the checklist, B10 is the chains, B11 is the governance layer an engagement must satisfy. B12 packages all three as a service.