Microsoft Failure Mode Taxonomy v2.0
B10 gave you the framework — seven new agentic failure modes plus the zero-click HITL bypass finding. This deep-dive expands each mode into a full case study: the attack chain, the detection gap (why the OWASP controls did not catch it), and the defense that does. The seven modes distilled from twelve months of deployed red teaming, each one a reproduced chain against an agent built to OWASP.
Each of the seven Microsoft failure modes is a chain that defeats an agent built to OWASP — not a risk the builder forgot, but the gap between the control on paper and the control in production. Mode 1 (supply chain) defeats ASI08's signed manifests because the signature verifies the publisher, not the benignity. Mode 2 (goal hijacking) defeats ASI01's taint gate because deployed hijacking is drift, not single-shot. Mode 3 (inter-agent trust) defeats ASI10's principal binding because orchestrators trust sub-agent messages as role-scoped authority. Mode 4 (vision) defeats ASI07's sanitizer because the attack is in the pixels, invisible to text-based gates. Mode 5 (session contamination) defeats ASI04's managed writes because the poison is ephemeral-but-cross-turn, never touching durable memory. Mode 6 (dispatch abuse) defeats ASI05's path normalization because the surface is the selection logic. Mode 7 (capability disclosure) defeats ASI02's canary because disclosure is reconnaissance scored by the chain it enables. Same named risk, different artifact — the chain is the finding.
Three of the seven modes have no clean OWASP row at all — they live between the rows. Inter-agent trust escalation (Mode 3), computer-use visual attacks (Mode 4), and session context contamination (Mode 5) have no text-only, single-agent analogue. Orchestrators treat sub-agent messages as role-scoped authority (no ASI equivalent); vision-modality attacks are invisible to text-based taint gates (no text analogue); session contamination is ephemeral-but-cross-turn, so ASI04's durable-memory write controls do not catch it. An engagement scoped to OWASP alone misses all three.
The zero-click HITL bypass chain is the structural finding that reframes the human-in-the-loop control: per-step approval is necessary and insufficient. A single external input triggers a multi-step chain where every step passes its approval gate (each is benign in isolation) but the compound exfiltrates data or reaches lateral movement. The malice lives in the compound, invisible to any gate that evaluates steps in isolation. The required control is session-level intent detection — intent tracking, compound-action pattern matching, and approval freshness windows — layered ABOVE per-step approval. This is the direct cross-turn extension of B8's observability layer.
This deep-dive is the case-study companion to B10 — read both, and the difference between 'the mode is defined' (B10) and 'the chain is reproduced with the gap identified' (SDD-B02) becomes the engagement deliverable. B10 names the modes and the methodology; SDD-B02 reproduces the chains and pinpoints the session-level gap each client must patch. B9 is the floor (what to defend); SDD-B01 is the OWASP chains; SDD-B02 is the Microsoft chains. A B12 engagement runs all three: the scored report, the OWASP offensive procedures, and the Microsoft case-study chains.