TLDR: A novel phishing technique, dubbed “CoPhish,” has emerged, exploiting Microsoft Copilot Studio agents to facilitate OAuth token theft. This method allows attackers to deliver fraudulent OAuth consent requests via legitimate Microsoft domains, making the attacks appear highly credible to unsuspecting users. The attack can also automate the exfiltration of stolen tokens, posing a significant risk to internal users and Application Administrators.
A sophisticated new phishing campaign, termed “CoPhish,” is actively exploiting Microsoft Copilot Studio agents to bypass existing security measures and steal OAuth tokens. This innovative attack vector leverages the legitimate infrastructure of Microsoft Copilot Studio to host malicious content, redirecting users to fraudulent OAuth applications while maintaining the appearance of a trusted Microsoft domain. This significantly enhances the credibility of phishing attempts, making them harder for users to detect.
Datadog Security Labs, in a report published on October 20, 2025, detailed how these attacks function. Microsoft Copilot Studio, a platform for building AI-powered chatbots (agents) with customizable automations (topics), offers flexibility that can be exploited by malicious actors. Attackers can configure an agent’s “Login” button to redirect users to any URL, including those hosting OAuth consent attacks. The process begins with a user receiving a link to a malicious Copilot Studio agent, often indistinguishable from legitimate Microsoft Copilot services due to the consistent domain (copilotstudio.microsoft.com).
Upon clicking “Login,” users are redirected to a malicious OAuth application. Crucially, the attack can be automated within Copilot Studio’s topics to exfiltrate the resulting OAuth token to an attacker-controlled URL. This token can then be used to perform actions on the user’s behalf, such as reading, writing, and sending emails (Mail.ReadWrite, Mail.Send), managing chats (Chat.ReadWrite), or accessing OneNote data (Notes.ReadWrite), depending on the granted permissions.
Despite Microsoft’s continuous efforts to enhance protections against OAuth consent attacks, including updates in July 2025 and further changes slated for late October 2025, vulnerabilities persist. The Datadog report highlights two primary scenarios where users remain susceptible:
1. Unprivileged Internal Users: These users can still consent to certain Microsoft Graph permissions for internal applications, provided the requested permissions are not explicitly blocked by policy and do not require administrative consent. Attackers can register malicious applications within the same Entra ID tenant to exploit this.
2. Application Administrators: Users with roles like Cloud Application Administrator or Application Administrator are particularly vulnerable as they can consent to any Microsoft Graph permissions for any application, internal or external, without requiring additional approval. This makes them prime targets for attackers seeking broad access.
To mitigate these risks, Datadog Security Labs recommends several security considerations:
* Enforce Robust Application Consent Policies: Organizations should implement stronger application consent policies beyond Microsoft’s default settings to prevent unprivileged users from granting access to sensitive data. Administrative users, who are always at risk of accidental consent to high-risk applications, must exercise extreme caution.
* Disable User Application Creation Defaults: By default, all Entra ID member users can register new applications. Disabling this default can prevent attackers with compromised user accounts from creating new applications for internal OAuth phishing.
* Monitor Application Consent: Organizations should actively monitor Entra ID Audit logs for “Consent to application” activities and Microsoft 365 Audit logs for “Consent to application” operations to detect suspicious activities.
* Monitor Copilot Studio Agent Creation and Modification: Unusual creation of Copilot Studio agents or modifications to system topics, particularly the “Signin” topic, should be flagged as potential indicators of malicious activity. Relevant Microsoft 365 events include “BotCreate” and “BotComponentUpdate” within the PowerPlatform workload.
Also Read:
- Critical Security Flaw Discovered in OpenAI’s ChatGPT Atlas Browser: Malicious Prompts Disguised as URLs
- Cybersecurity Certifications Evolve to Combat GenAI and Cloud-Native Threats in 2025
This new CoPhish attack underscores the evolving threat landscape in cloud services and the importance of treating new low-code solutions, even those on legitimate Microsoft domains, with caution.
