Fake multi-tenant MCP (Model Context Protocol) shared-prompt poisoning lure — "your shared MCP server multi-tenant system_prompt template has been updated, please re-deploy across all tenants within 24 hours" / "update the gmail-mcp shared system_prompt within 48 hours, downstream MCP tenants will inherit the new shared prompt template." Sender NOT on the MCP-vendor canonical allowlist (anthropic.com, console.anthropic.com, docs.anthropic.com, modelcontextprotocol.io, smithery.ai, glama.ai, mcp.so, github.com, githubusercontent.com, cloudflare.com, openai.com). Real MCP shared-prompt template updates flow through the MCP-server admin dashboard with tenant-scoped authorization, never via inbound email demanding a shared template re-deploy on a deadline. Distinct from R6 MCP-config (single-tenant) and R8 mcp-registry-typosquat (registry-level) — this signal is specifically the *multi-tenant shared-prompt* injection pretext (OWASP LLM01 prompt-injection at the tenant-isolation layer; multi-tenant MCP attacker who has ANY tenant access pollutes shared system_prompt template, downstream tenants inherit injection). Source: Red-Team R8 multi-agent council S5 (agentic-AI specialist), Lead consensus C5.

Fake multi-tenant MCP (Model Context Protocol) shared-prompt poisoning lure targeting MCP-server admins, AI-platform engineers, and Claude / GPT MCP-tool users. The phish narrative arrives as: "Your shared MCP server multi-tenant system_prompt template has been updated. Please re-deploy the shared system prompt template across all tenants within 24 hours, or your downstream MCP tenants will inherit stale prompt context. Action required," or "Per the multi-tenant MCP server shared prompt-template policy, please update the gmail-mcp shared system_prompt within 48 hours. Tenants downstream will inherit the new shared prompt template. Mandatory across all your MCP tenants." Multi-tenant MCP servers (e.g., shared `gmail-mcp`, `drive-mcp`, `slack-mcp` instances) where the same `system_prompt` template is used across multiple tenant accounts create a tenant-isolation attack surface: an attacker who has ANY tenant access can pollute the shared `system_prompt` template, and downstream tenants inherit the prompt-injection (OWASP LLM01 prompt-injection at the tenant-isolation layer). The injection can: (1) instruct the downstream agent to silently exfil all matching emails; (2) bias the downstream agent's tool-use toward attacker-controlled URLs; (3) plant deferred-trigger backdoor instructions that fire when the user's next prompt mentions a specific keyword. Real MCP shared-prompt template updates flow through the MCP-server admin dashboard with tenant-scoped authorization (each tenant has independent system_prompt control), never via inbound email demanding a shared template re-deploy on a deadline. Sender NOT on the MCP-vendor canonical allowlist (anthropic.com, console.anthropic.com, docs.anthropic.com, modelcontextprotocol.io, smithery.ai, glama.ai, mcp.so, github.com, githubusercontent.com, cloudflare.com, openai.com). Distinct from R6 MCP-config-tamper (single-tenant client-config tamper) and R8 mcp-registry-typosquat (registry-level squatting) — this signal is specifically the *multi-tenant shared-prompt* injection pretext. Lead consensus C5 (Red-Team R8 multi-agent council): engine cannot patch agent platforms but CAN refuse to silently delete + must label as agent-trust-boundary-suspect. Fires when body references MCP (server) / model context protocol / gmail-mcp / drive-mcp / slack-mcp / notion-mcp / github-mcp / filesystem-mcp AND multi-tenant / "shared system_prompt/prompt template/prompt/template" / tenant(s) / "downstream tenant/MCP" / "across all your tenants/MCP tenants" / "tenant inheritance/isolation" AND "re-deploy (the shared/system_prompt/template)" / "update (the shared) system_prompt/prompt template/template" / "new (shared) system_prompt/prompt template" / "shared system_prompt/prompt template (update(d)/policy/change)" / inherit(s/ed) AND within N hours-days / 24-48 hours / action required / mandatory / "stale prompt/context" / "policy update" urgency. Excludes the canonical MCP-vendor / Anthropic / OpenAI / GitHub / Cloudflare domains. Auto-classified as danger via the `-lure` suffix (OWASP LLM01 prompt-injection at the tenant-isolation layer). Source: Red-Team R8 multi-agent council S5 (agentic-AI specialist), Lead consensus C5 agent-trust-boundary-suspect.