In a sophisticated identity-theft campaign, researchers at Datadog Security Labs uncovered a new phishing method dubbed “CoPhish”, which weaponises Microsoft Copilot Studio agents to steal OAuth tokens from enterprise users. The attack exploits seemingly legitimate Microsoft domains, making it especially deceptive and hard to detect.
The Technique at a Glance
The threat actor creates a Copilot Studio agent on copilotstudio.microsoft.com, configures its Login / Sign-in topic to redirect to a malicious OAuth application, then shares the link with a target via phishing. Because the URL uses Microsoft infrastructure, it appears trusted. When the target consents, the token is intercepted and forwarded out.
In effect, the attacker turns a bona-fide Copilot Studio agent into a phishing wrapper, harvesting User.AccessToken variables without raising immediate suspicion.
Why This Attack Matters
Identity tokens deserve minimal risk: they grant attackers the ability to act as the user, access Graph API data, read or send mail, manipulate cloud resources, or pivot laterally. Traditional phishing often exploits credentials, but CoPhish leverages OAuth consents and trusted domains to bypass typical network detection.
Because the traffic originates from Microsoft IPs, network logs may show no anomalous external connection attackers exploit the trust placed in the cloud vendor’s infrastructure.
Attack Chain Breakdown
Agent Creation
An attacker either uses a compromised user or a trial license to spin up a Copilot Studio agent in any Entra ID tenant. Within the agent, they customise the built-in “Login” topic to redirect to their malicious OAuth application.
Token Capture
When a target clicks “Login”, they go through the Microsoft sign-in process at token.botframework.com, unaware that the token is then forwarded via an HTTP request embedded in the agent’s topic to a Collab URL (e.g., via Burp Collaborator). Because the user navigated a legitimate microsoft.com domain, the steps appear safe.
Exploitation
With the token, the attacker can call Graph API endpoints with permissions granted by the victim (e.g., Mail.ReadWrite, Notes.ReadWrite), enabling data exfiltration, mailbox compromise or persistent access.
Who Is At Risk
-
Unprivileged users: Under Microsoft’s default Entra ID consent policy, certain scopes like
Mail.Send,Notes.ReadWriteremain consentable by users. Attackers may lure them into consenting. -
Application Administrators: These roles can consent to any application, including external ones, making them high-value targets despite other controls.
Strategic Mitigation Steps
-
Enforce an application consent policy that restricts user-consent only to approved apps.
-
Disable default user application registration so that only admins may register new apps.
-
Monitor Copilot Studio agent creation (
BotCreate) and topic modification logs (BotComponentUpdate) in the Power Platform audit logs for signs of misuse. -
Apply least-privilege principle to OAuth scopes and regularly review granted permissions.
-
Educate users about the risk of legitimate domains being reused for phishing (the “trusted domain” illusion).
Implications for Organisations
This campaign highlights a critical gap: trusted vendor domains no longer guarantee safe interactions. Attackers are leveraging legitimate cloud platforms as part of attack chains. Organisations must treat low-code tools (such as Copilot Studio agents) with the same suspicion as any unvetted internal app.
As more workflows migrate into low-code/no-code environments, the attack surface expands. Security operations must include governance around these tools, audit trails, and role-based access to avoid unintended threats.
Final Thoughts
The CoPhish technique illustrates how attackers evolve: shifting from credential collection to token hijacking, and from external phishing domains to trusted vendor infrastructure. The path to protection lies in governance, monitoring, and user awareness. Without them, even enterprise environments may fall prey to seemingly innocent sign-in prompts.
FAQs
Q1. What exactly is the CoPhish attack?
The CoPhish attack uses Microsoft Copilot Studio agents hosted on trusted domains to orchestrate OAuth consent phishing. Once a user consents, the attacker captures their session token and can act with their permissions.
Q2. Can multifactor authentication (MFA) stop this attack?
Not necessarily. Because a valid token is issued after user consent, MFA may have already been satisfied. The attacker uses that legitimate token rather than bypassing MFA directly.
Q3. How can organisations detect if they’ve been targeted by CoPhish?
Check audit logs for:
-
Unexpected consents granted to external/multi-tenant applications.
-
Creation of new Copilot Studio agents by users who don’t normally author them.
-
HTTP requests from Copilot Studio topics to unfamiliar URLs.
Q4. Are only Microsoft Entra ID environments vulnerable?
The technique as described targets Entra ID and Copilot Studio, but conceptually similar low-code agent platforms in other ecosystems could also be leveraged.
Q5. Will Microsoft fix this vulnerability?
Microsoft has confirmed investigation and plans updates to strengthen governance and consent experiences. BleepingComputer+1
