Microsoft conducted a red team test (simulated attacks to find vulnerabilities) on an internal platform with over 100 AI Agents (AI programs capable of autonomous task execution). The conclusion is clear: no matter how secure a single Agent is, once it interacts on a network, four entirely new risks emerge.
What this is
The research team ran over 100 Agents on the same platform, each representing different human users, participating in forum discussions, direct messaging, and collaborative tasks. They ran on different models, with different instructions and memories.
The test identified four risks that only appear at the "networked" level:
Spread: A malicious message spreads like a worm from Agent to Agent, stealing private data at each step. Amplification: An attacker leverages the reputation of a trusted Agent to plant false information, triggering a chain reaction that generates convincing but entirely fabricated evidence. Trust Hijacking: Attackers control the mechanism Agents use to mutually verify information, turning the verification system into a tool that reinforces lies. Stealth: Information passes through a chain of unwitting Agents, making it difficult to trace the attack's origin from any single point.
Key judgment: A single Agent's reliability cannot predict network behavior. The industry's commonly used single-Agent benchmarks may be missing the most dangerous issues.
Industry view
We note that Agent interconnection is a clear industry direction this year—Anthropic's MCP (a protocol allowing different AI tools to communicate) and OpenAI's push for an Agent ecosystem are both moving Agents from "standalone" to "networked." Microsoft's research is essentially a warning: infrastructure is running ahead of security research.
Some security researchers point out that Microsoft's test environment was a controlled internal platform; in real commercial scenarios, the number, heterogeneity, and conflicts of interest among Agents will be more complex, meaning risks may be underestimated. Optimistic voices note that the study itself observed "some Agent networks showing a degree of resistance under attack," showing that defense is not unsolvable, just in its early stages.
Our preferred judgment is: The security issue of Agent interconnection is not "will something go wrong," but "when will something go wrong." The industry's pursuit of single-point capabilities is systematically ignoring interconnection risks.
Impact on regular people
For enterprise IT: If a company deploys multiple collaborating Agents (customer service, approvals, data analysis), it needs to incorporate "inter-Agent communication security" into its architecture design, not just focus on single-Agent permission controls.
For individual professionals: Agent interconnection means your data might be accessed by Agents you've never directly interacted with—knowing how your information flows within the Agent network is more important than knowing how to use a single tool.
For the consumer market: In the short term, consumers won't directly perceive Agent interconnection. But when the "Agent that books your flights" and the "Agent that manages your calendar" start talking automatically, the path of privacy leakage will shift from "who you authorized" to "who was infected by your authorizee."