Module B10 — Microsoft Failure Mode Taxonomy as Red Team Framework

Microsoft Failure Mode Taxonomy as Red Team Framework

B9 gave you the defense checklist. This is the offense playbook. The Microsoft Failure Mode Taxonomy v2.0 — seven new agentic failure modes plus the zero-click HITL bypass finding — is how systems actually fail in production, distilled from twelve months of deployed red teaming. Where OWASP tells you what to defend, this taxonomy tells you how attackers chain.

45
minutes
8
artifacts
3
sub-sections
The Microsoft Failure Mode Taxonomy v2.0 is not a list of risks to defend against — it is a red-team framework. Seven new agentic failure modes (supply chain, goal hijack, inter-agent trust, vision, session contamination, dispatch abuse, capability disclosure) map imperfectly onto OWASP ASI, and the imperfection is the point: these are the chains that show up when you red-team an agent built to OWASP. The centerpiece finding is the zero-click HITL bypass chain — a single external input triggers a multi-step chain where each step passes its approval gate individually but the compound is malicious. Per-step approval is structurally insufficient. The compound intent is a distinct attack class, and it requires session-level intent detection layered above per-step approval.
Key Claims
Load-Bearing Claims

The Microsoft Taxonomy v2.0 and OWASP ASI are complementary by function, not redundant by content. OWASP (B9) is a defense checklist read as a builder — unit = the risk, one row/control/test. The Microsoft taxonomy (B10) is a red-team framework read as an attacker — unit = the chain, multi-step/compound intent. The same named risk (Goal Hijacking, Supply Chain) appears in both as DIFFERENT artifacts: one is a control, the other is the procedure that finds the gap between the control on paper and the control in production. The synthesis error is concluding 'we covered goal hijacking in B9, so B10 adds nothing.'

The seven new failure modes are not a re-labeling of OWASP rows — three of them (inter-agent trust escalation, computer-use visual attacks, session context contamination) have no clean OWASP row at all. They live BETWEEN the rows: orchestrators treat sub-agent messages as role-scoped authority (no ASI equivalent); vision-modality attacks are invisible to text-based taint gates (no text-only analogue); session context contamination is ephemeral-but-cross-turn, so ASI04's memory-write controls do not catch it. An engagement scoped to B9 alone misses all three.

The zero-click HITL bypass chain is the centerpiece finding: per-step approval is necessary and insufficient. A single external input triggers a multi-step chain where every step passes its approval gate (each is benign in isolation) but the compound exfiltrates data or reaches lateral movement. The malice lives in the compound, invisible to any gate that evaluates steps in isolation. The required control is session-level intent detection — intent tracking, compound-action pattern matching, and approval freshness windows — layered ABOVE per-step approval. This is the direct cross-turn extension of B8's observability layer.

A B10 engagement designs chains, not rows. The methodology: reconnaissance via capability disclosure (Mode 7), surface selection, chain construction (each step must pass its OWASP control INDIVIDUALLY — the chain slips between controls, not through a missing one), compound delivery via a single external input, and gap identification (the deliverable is the specific session-level gap the client patches). B9 produces the scored report; B10 produces the chain and the gap; B12 packages both as one engagement. Neither alone is sufficient.

After This Module
01
Distinguish the Microsoft Failure Mode Taxonomy from OWASP ASI by FUNCTION — OWASP is a defense checklist (what to build and test); the Microsoft taxonomy is a red-team framework (how systems actually fail and how an attacker chains). State why a mature program needs both and why neither alone is sufficient.
02
For each of the seven new agentic failure modes, state the mode defined, give a real-world scenario, map it to the OWASP ASI risk(s) it overlaps (and where it diverges), state the red-team attack procedure, and state the defense.
03
Explain the zero-click HITL bypass chain — why a single external input triggers a multi-step chain where each step passes approval but the compound is malicious, why per-step approvals are structurally insufficient, and why session-level intent detection is the required control — and connect this to B8's observability layer.
04
Use the taxonomy as an engagement design tool — translate each failure mode into a chain of test actions, sequence them into a multi-step attack chain, and identify the session-level control that would detect or break the chain.
05
State the complementarity precisely: OWASP (B9) = what to defend; Microsoft (B10) = how attackers chain. Together they form the complete red-team methodology that B12 operationalizes as a service.
Artifacts
01
Teaching Document
~4,500 words; 3 sub-sections — the seven new agentic failure modes (each with definition, scenario, OWASP cross-ref, red-team procedure, defense), the zero-click HITL bypass chain (centerpiece), and the OWASP/taxonomy complementarity + engagement methodology; with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the seven failure modes map, the zero-click HITL bypass chain (centerpiece), how the taxonomy maps to OWASP (complementarity), the red-team engagement flow, per-step vs session-level detection architecture
READ
03
Slide Deck
13 slides — reveal.js, dark theme, design-system teal; covers the thesis, seven modes, three modes with no clean OWASP row, the zero-click chain, why per-step approval fails, session-level detection mechanisms, engagement methodology
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~2,000 words spoken at ~140 wpm across 12 slide cues
READ
05
Flashcards
21 flashcards (TSV) — mix of recall and analysis; covers all seven modes, the zero-click chain, the complementarity, and the engagement methodology
TEST
06
Exam
15-question exam, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Design a Multi-Step Attack Chain — runnable trace-based simulation (Python 3.10+, type hints, no GPU, no external deps): design and execute a 5+ step zero-click HITL bypass chain, confirm every per-step gate passes while the compound exfiltrates, then implement and verify the session-level intent detector that catches it (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE