Poisoned Postmark MCP Server Email Exfiltration - AI Case Study
AI Case StudyA bad actor successfully exfiltrated emails from users of the Postmark’s MCP server via a supply chain attack. Postmark is an email delivery service that allows organizations to send marketing and transactional emails via API. The Postmark MCP server allows users to interact with Postmark via AI agents. The bad actor impersonated Postmark, by registering the postmark-mcp package name on npm. They initially publi...
Overview
Risk patterns
Patterns found in the case record and its linked vulnerabilities.
- 1Dominant ATLAS tactic. Defense Evasion appears in 2 case steps.
- 2Multiple attack methods. The case connects to 9 unique AI attack methods.
Procedure timeline
Search the case steps or filter them by attacker goal.
-
Defense Evasion
Step 1
Impersonation
The bad actor impersonated Postmark by publishing a legitimate version of their
postmark-mcppackage to npm. Postmark had not registered thepostmark-mcpname on npm themselves, allowing the bad actor to namesquat. Legitimate users were tricked into using the npm package even though it wasn’t managed by the official developers ofpostmark-mcp -
Resource Development
Step 2
Develop Capabilities
The bad actor modified the legitimate Postmark MCP server to include their email address on the BCC line on all emails sent by the tool.
-
Resource Development The bad actor published their malicious version of
postmark-mcpto npm. -
Defense Evasion
Step 4
AI Supply Chain Rug Pull
By waiting for users to adopt a legitimate version of
postmark-mcpfirst, the bad actor was able to evade the additional scrutiny and scanning performed on new tools. -
Initial Access
Step 5
AI Agent Tool
When organizations upgraded
postmark-mcpto version1.0.16, they received the malicious version of the tool via the compromised supply chain. -
Persistence
Step 6
AI Agent Tool Poisoning
Once configured with the organization’s AI agents, the poisoned Postmark MCP server’s effects persist.
-
Execution
Step 7
Poisoned AI Agent Tool
When users at the victim organization instructed their AI agent to use tools provided by the poisoned Postmark MCP Server, the malicious code was executed.
-
Exfiltration When organizations sent emails via the
postmark-mcptool, the entire contents of their emails are exfiltrated to the bad actor via the address added on the BCC line. -
Impact
Step 9
External Harms
The exfiltrated emails may include transactional emails (revealing private information about the organization’s clients) and promotional emails (revealing the organization’s client list).
Mitigations
Defenses connected to the attack methods in this case.
AI Agent Tools Permissions Configuration
When deploying tools that will be shared across multiple AI agents, it is important to implement robust policies and controls on permissions for the tools. These controls include applying the principle of least privilege along with delegated access, where the tools receive the permissions, identities, and restrictions of the AI agent calling them. These configurations may be implemented either in MCP servers which connect the agents to the tools calling them or, in more complex cases, directly in the configuration files of the tool.
AI Telemetry Logging
Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts.
Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources.
Human In-the-Loop for AI Agent Actions
Systems should require the user or another human stakeholder to approve AI agent actions before the agent takes them. The human approver may be technical staff or business unit SMEs depending on the use case. Separate tools, such as dedicated audit agents, may assist human approval, but final adjudication should be conducted by a human decision-maker.
The security benefits from Human In-the-Loop policies may be at odds with operational overhead costs of additional approvals. To ease this, Human In-the-Loop policies should follow the degree of consequence of the task at hand. Minor, repetitive tasks performed by agents accessing basic tools may only require minimal human oversight, while agents employed in systems with significant consequences may necessitate approval from multiple stakeholders diversified across multiple organizations.
Input and Output Validation for AI Agent Components
Implement validation on inputs and outputs for the tools and data sources used by AI agents. Validation includes enforcing a common data format, schema validation, checks for sensitive or prohibited information leakage, and data sanitization to remove potential injections or unsafe code. Input and output validation can help prevent compromises from spreading in AI-enabled systems and can help secure the workflow when multiple components are chained together. Validation should be performed external to the AI agent.
Showing 4 of 8
Source evidence
Original public records and references for this case.
Original source
Original source links
Open the MITRE ATLAS data and public references used for this case study.
