Module SDD-B02 — Microsoft Failure Mode Taxonomy v2.0

Microsoft Failure Mode Taxonomy v2.0

B10 gave you the framework — seven new agentic failure modes plus the zero-click HITL bypass finding. This deep-dive expands each mode into a full case study: the attack chain, the detection gap (why the OWASP controls did not catch it), and the defense that does. The seven modes distilled from twelve months of deployed red teaming, each one a reproduced chain against an agent built to OWASP.

45
minutes
8
artifacts
3
sub-sections
B10 introduced the Microsoft Failure Mode Taxonomy v2.0 as a red-team framework and named the seven new agentic failure modes. This deep-dive is the case-study expansion: each mode becomes a full attack chain with the specific detection gap that let it through and the specific defense that closes it. The centerpiece is the zero-click HITL bypass chain — a single external input triggers a multi-step chain where each step passes its approval gate individually but the compound is malicious. Per-step approval is structurally insufficient; the required control is session-level intent detection layered above per-step approval. Whereas SDD-B01 expanded the OWASP rows into offensive procedures, this deep-dive expands the Microsoft modes into case studies — the chains that show up when you red-team an agent built to OWASP, when the controls on paper do not compose the way the builder assumed.
Key Claims
Load-Bearing Claims

Each of the seven Microsoft failure modes is a chain that defeats an agent built to OWASP — not a risk the builder forgot, but the gap between the control on paper and the control in production. Mode 1 (supply chain) defeats ASI08's signed manifests because the signature verifies the publisher, not the benignity. Mode 2 (goal hijacking) defeats ASI01's taint gate because deployed hijacking is drift, not single-shot. Mode 3 (inter-agent trust) defeats ASI10's principal binding because orchestrators trust sub-agent messages as role-scoped authority. Mode 4 (vision) defeats ASI07's sanitizer because the attack is in the pixels, invisible to text-based gates. Mode 5 (session contamination) defeats ASI04's managed writes because the poison is ephemeral-but-cross-turn, never touching durable memory. Mode 6 (dispatch abuse) defeats ASI05's path normalization because the surface is the selection logic. Mode 7 (capability disclosure) defeats ASI02's canary because disclosure is reconnaissance scored by the chain it enables. Same named risk, different artifact — the chain is the finding.

Three of the seven modes have no clean OWASP row at all — they live between the rows. Inter-agent trust escalation (Mode 3), computer-use visual attacks (Mode 4), and session context contamination (Mode 5) have no text-only, single-agent analogue. Orchestrators treat sub-agent messages as role-scoped authority (no ASI equivalent); vision-modality attacks are invisible to text-based taint gates (no text analogue); session contamination is ephemeral-but-cross-turn, so ASI04's durable-memory write controls do not catch it. An engagement scoped to OWASP alone misses all three.

The zero-click HITL bypass chain is the structural finding that reframes the human-in-the-loop control: per-step approval is necessary and insufficient. A single external input triggers a multi-step chain where every step passes its approval gate (each is benign in isolation) but the compound exfiltrates data or reaches lateral movement. The malice lives in the compound, invisible to any gate that evaluates steps in isolation. The required control is session-level intent detection — intent tracking, compound-action pattern matching, and approval freshness windows — layered ABOVE per-step approval. This is the direct cross-turn extension of B8's observability layer.

This deep-dive is the case-study companion to B10 — read both, and the difference between 'the mode is defined' (B10) and 'the chain is reproduced with the gap identified' (SDD-B02) becomes the engagement deliverable. B10 names the modes and the methodology; SDD-B02 reproduces the chains and pinpoints the session-level gap each client must patch. B9 is the floor (what to defend); SDD-B01 is the OWASP chains; SDD-B02 is the Microsoft chains. A B12 engagement runs all three: the scored report, the OWASP offensive procedures, and the Microsoft case-study chains.

After This Module
01
For each of the seven Microsoft failure modes (supply chain, goal hijack, inter-agent trust, vision, session contamination, dispatch abuse, capability disclosure), reproduce the full case study: the attack chain, the specific detection gap that let it through an OWASP-built agent, and the defense that closes it.
02
Explain why each mode defeats the corresponding OWASP control on paper — and articulate why three of the seven modes (inter-agent trust, vision, session contamination) have no clean OWASP row at all, living between the rows.
03
Reproduce the zero-click HITL bypass chain end-to-end — the single external input, the multi-step chain where each step passes approval individually, the compound that exfiltrates — and explain why per-step approval is structurally insufficient and why session-level intent detection is the required control.
04
Distinguish the Microsoft taxonomy's function (red-team framework, unit = the chain) from OWASP's function (defense checklist, unit = the risk), and explain why an engagement scoped to OWASP alone misses the three between-the-rows modes plus every compound chain.
05
Translate each Microsoft mode into an engagement case study — reconnaissance via capability disclosure, surface selection, chain construction (each step passes its OWASP control individually), compound delivery, and gap identification (the specific session-level control the client patches).
Artifacts
01
Teaching Document
~3,400 words; 3 sub-sections — Modes 1–4 case studies (supply chain, goal hijack, inter-agent trust, vision — each with attack chain + detection gap + defense), Modes 5–7 + the zero-click HITL bypass chain (centerpiece), the defense for each mode + the engagement methodology; with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the seven modes as case-study map (each with the OWASP control it defeats), the zero-click HITL bypass chain (centerpiece, 5 steps each passing approval), the three between-the-rows modes (no OWASP analogue), per-step vs session-level detection architecture, the B9+SDD-B01+SDD-B02 engagement stack
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers the thesis (case-study companion to B10), Modes 1–4, Modes 5–7, the three between-the-rows modes, the zero-click chain, per-step vs session-level, the engagement methodology
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~2,800 words spoken at ~140 wpm across 12 slide cues
READ
05
Flashcards
20 flashcards (TSV) — mix of recall and analysis; covers all seven modes (chain + gap + defense), the three between-the-rows modes, the zero-click chain, session-level intent detection, the complementarity
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Reproduce the Zero-Click HITL Bypass Chain + the Seven Mode Case Studies — runnable trace-based simulation (Python 3.10+, type hints, no GPU, no external deps): reproduce a 5-step zero-click chain where every per-step gate passes while the compound exfiltrates, implement and verify the session-level intent detector, then reproduce one chain per Microsoft mode (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE