What is MCP Server Spoofing?
MCP server spoofing is impersonating a legitimate MCP server to intercept or manipulate tool calls between the client and the real server.
WHY IT MATTERS
When an MCP client connects to a server — particularly over network transports like SSE or HTTP — it needs to verify it is talking to the intended server. MCP server spoofing exploits cases where this verification is weak or absent. The attacker presents a server that mimics the legitimate one, accepting tool calls and returning plausible responses.
The spoofed server has full visibility into every tool call the agent makes: parameter values, authentication tokens, query content, and any sensitive data passed as arguments. It can also manipulate responses — returning altered data that influences the agent's subsequent decisions.
Spoofing is especially viable in environments where MCP servers are discovered dynamically or configured via URLs that can be intercepted (DNS poisoning, compromised configuration files, malicious browser extensions). Unlike stdio transport where the server runs as a local process, network-based MCP transports are inherently exposed to network-level attacks.
The impact ranges from passive data collection to active manipulation — the spoofed server might approve a policy check that should fail, return fabricated search results, or redirect file operations to attacker-controlled storage.
HOW POLICYLAYER USES THIS
Intercept acts as the single, trusted connection point between MCP clients and servers. By routing all tool calls through a locally running proxy with a policy-defined list of authorised server endpoints, spoofed servers cannot receive traffic. Intercept validates server identity at the transport layer, and its fail-closed design blocks connections to any server not explicitly listed in the YAML policy configuration.