This work addresses the vulnerability of Model Context Protocol (MCP) to stealthy attacks via maliciously manipulated tool responses, a challenge inadequately mitigated by existing approaches due to their high cost, semantic incoherence, reliance on white-box access, or susceptibility to detection. To overcome these limitations, we propose TIP, a novel method that introduces tree-structured adaptive search into MCP payload generation. TIP leverages large language models within a coarse-to-fine optimization framework to perform black-box search, incorporating path-aware feedback to escape local optima and dynamically adjusting its exploration strategy in response to perceived defense signals. Experimental results demonstrate that TIP achieves over 95% attack success rates without defenses across four mainstream large language models, using an order of magnitude fewer queries than current adaptive attacks. Moreover, it maintains above 50% success against four representative defenses, significantly outperforming state-of-the-art methods.

Recent advances in the Model Context Protocol (MCP) have enabled large language models (LLMs) to invoke external tools with unprecedented ease. This creates a new class of powerful and tool augmented agents. Unfortunately, this capability also introduces an under explored attack surface, specifically the malicious manipulation of tool responses. Existing techniques for indirect prompt injection that target MCP suffer from high deployment costs, weak semantic coherence, or heavy white box requirements. Furthermore, they are often easily detected by recently proposed defenses. In this paper, we propose Tree structured Injection for Payloads (TIP), a novel black-box attack which generates natural payloads to reliably seize control of MCP enabled agents even under defense. Technically, We cast payload generation as a tree structured search problem and guide the search with an attacker LLM operating under our proposed coarse-to-fine optimization framework. To stabilize learning and avoid local optima, we introduce a path-aware feedback mechanism that surfaces only high quality historical trajectories to the attacker model. The framework is further hardened against defensive transformations by explicitly conditioning the search on observable defense signals and dynamically reallocating the exploration budget. Extensive experiments on four mainstream LLMs show that TIP attains over 95% attack success in undefended settings while requiring an order of magnitude fewer queries than prior adaptive attacks. Against four representative defense approaches, TIP preserves more than 50% effectiveness and significantly outperforms the state-of-the-art attacks. By implementing the attack on real world MCP systems, our results expose an invisible but practical threat vector in MCP deployments. We also discuss potential mitigation approaches to address this critical security gap.