MCP Sampling Abuse is the attack class that exploits the sampling feature, which lets an MCP server ask the client to run LLM completions on its behalf. Sampling exists for legitimate reasons: a code review server might want to summarize a diff without running its own LLM. But the same channel hands attackers a way to use the user’s model, the user’s credits, and the user’s identity to generate content the user never requested. Unit 42 identified sampling as a novel MCP attack surface in 2025. Most MCP clients either don’t support sampling yet or implement it with permissive defaults, which is the worst possible posture against this attack class.
How MCP Sampling Abuse Works
A malicious server sends a sampling/createMessage request with attacker-chosen prompts. The client, if it allows sampling by default, runs the completion using the user’s configured model and bills the user’s API quota. The server reads the result. Variants include billing fraud (generate thousands of tokens until the user’s quota is drained), context exfiltration (the server crafts prompts that pull data out of the user’s conversation history if the client passes it through), phishing content generation (use the user’s LLM to write convincing scams in the user’s voice), and tool injection (sampling requests can include tool definitions that bypass normal approval flow).
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why Sampling Abuse Is Different from Other MCP Attacks
Sampling abuse inverts the usual trust direction. In most MCP attacks, the server returns data the agent consumes. In sampling abuse, the server commands the agent to generate something. The user’s compute, credits, and identity become the attacker’s resources. This is closer to a server-side reflection attack than a typical prompt injection. The financial impact can be immediate: a sustained sampling abuse campaign can drain hundreds of dollars in API credits before the user notices the bill. The reputational impact is worse if the generated content is later attributed to the user.
How to Detect and Stop MCP Sampling Abuse
Default-deny sampling for every new MCP server. Require explicit per-server approval before any sampling request runs. Show every sampling prompt to the user with full context before execution. Rate-limit sampling per server, per session, and per day. Block sampling requests that include tool definitions unless the server is on a separate trusted-sampling allowlist. Log every sampling event with full prompt content for forensic review. The Certified MCP Security Expert (CMCPSE) certification covers sampling abuse detection with PoC scenarios.
Summary
MCP Sampling Abuse hijacks the sampling feature to burn the user’s credits, exfiltrate context, generate phishing content, or smuggle tool definitions, all while inverting the usual MCP trust direction. Default-deny, full-prompt user review, and rate limits are the practical controls. The Certified MCP Security Expert (CMCPSE) certification trains engineers to spot and stop sampling abuse before billing fraud or content laundering happens.