Microsoft said my Azure MCP report was 'by design.' They're right — and that's the problem.

A tool that sends email was annotated read-only. That annotation decides whether your MCP client asks for confirmation. It's an advisory hint, not a security boundary — and the gap between those two facts is exploitable.