A newly identified phishing technique known asย โCoPhishโย exploits Microsoft Copilot Studio agents to deliver deceptive OAuth consent prompts through legitimate Microsoft domains.
Researchers atย Datadog Security Labsย discovered the method, warning that Copilot Studioโs high level of customization can unintentionally create new phishing vectors.
While the attack depends primarily onย social engineering, Microsoft confirmed that it is working on a fix.
A company spokesperson stated that Microsoft is โtaking action to address it through future product updatesโ and remains focused on strengthening consent governance and implementing extra safeguards to prevent misuse.
Table Of Contents
How OAuth Tokens Work
In an OAuth consent phishing attack targeting Microsoft Entra ID, an adversary registers a malicious application that requests permissions to access or control a victimโs data. The attacker then tricks the user into granting consent through Entra IDโs legitimate application consent process.
Once consent is granted, the platform issues an access token with those permissions and redirects it to a URL controlled by the attacker.
This token can then be used to impersonate the victim, view emails, or access sensitive corporate resources.
Microsoft provides a detailed breakdown of this attack chain and its mitigations in itsย official security blog.
How it Works
Once a malicious Copilot Studio agentโs demo page is activated, attackers can share its link through phishing emails or Microsoft Teams messages.
This is because the URL is hosted on an official Microsoft domain and visually resembles a legitimate Copilot page, victims may easily mistake it for a real service.
Datadogโs Chris Knowles noted that a subtle clueโthe โMicrosoft Power Platformโ icon could hint that something is amiss, though many users would likely overlook it.
When a victim clicks the login button and grants permissions, they are redirected through the legitimate Copilot authentication service at token.botframework.com.
Although this appears to be a standard Microsoft sign-in flow, the session token is covertly captured and forwarded to the attacker using tools such as Burp Collaborator, allowing the threat actor to hijack the session seamlessly.
The reason is because all authentication traffic is routed through Microsoftโs infrastructure, it appears trustworthy and leaves no trace of suspicious activity in network logs.
Datadogโs researchers detailed this entire exploit path from the victimโs interaction with the malicious Copilot agent to the attackerโs receipt of the stolen token in their analysis of the CoPhish attack.
