New CoPhish Attack Exploits Copilot Studio to Exfiltrate OAuth Tokens

A sophisticated phishing technique called CoPhish exploits Microsoft Copilot Studio to trick users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

Dubbed by Datadog Security Labs, this method uses customizable AI agents hosted on legitimate Microsoft domains to wrap traditional OAuth consent attacks, making them appear trustworthy and bypassing user suspicions.

The attack, detailed in a recent report, highlights ongoing vulnerabilities in cloud-based AI tools despite Microsoft’s efforts to tighten consent policies.​

By leveraging Copilot Studio’s flexibility, attackers can create seemingly innocent chatbots that prompt users for login credentials, ultimately stealing OAuth tokens for malicious actions like reading emails or accessing calendars.

This development comes amid rapid evolution in AI services, where user-configurable features intended for productivity can inadvertently enable phishing. As organizations increasingly adopt tools like Copilot, such exploits underscore the need for vigilant oversight of low-code platforms.​

OAuth consent attacks, classified under MITRE ATT&CK technique T1528, involve luring users into approving malicious app registrations that request broad permissions to sensitive data.

In Entra ID environments, attackers create app registrations seeking access to Microsoft Graph resources, such as email or OneNote, then direct victims to consent via phishing links. Once approved, the resulting token grants the attacker impersonation rights, enabling data exfiltration or further compromise.​

Microsoft has bolstered defenses over the years, including 2020 restrictions on unverified apps and a July 2025 update setting “microsoft-user-default-recommended” as the default policy, which blocks consent for high-risk permissions like Sites.Read.All and Files.Read.All without admin approval.

However, gaps remain: unprivileged users can still approve internal apps for permissions like Mail.ReadWrite or Calendars.ReadWrite, and admins with roles such as Application Administrator can consent to any permissions on any app.

An upcoming late-October 2025 policy tweak will narrow these further but won’t fully protect privileged users.​

CoPhish Attack Exploits Copilot

In the CoPhish technique, attackers build a malicious Copilot Studio agent, a customizable chatbot using a trial license in their own tenant or a compromised one, Datadog said.

The agent’s “Login” topic, a system workflow for authentication, is backdoored with an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server after consent.

The demo website feature shares the agent via a URL like copilotstudio.microsoft.com, mimicking official Copilot services and evading basic domain checks.​

The attack unfolds when a victim clicks a shared link, sees a familiar interface with a “Login” button, and is redirected to the malicious OAuth flow.

For internal targets, the app requests allowable scopes like Notes.ReadWrite; for admins, it can demand everything, including disallowed ones. Post-consent, a validation code from token.botframework.com completes the process, but the token is silently forwarded often via Microsoft’s IPs, hiding it from user traffic logs.

Attackers can then use the token for actions like sending phishing emails or data theft, all without alerting the victim. A diagram illustrates this flow, showing the agent issuing tokens post-consent for exfiltration.​

To counter CoPhish, experts recommend enforcing custom consent policies beyond Microsoft’s defaults, disabling user app creation, and monitoring Entra ID audit logs for suspicious consents or Copilot modifications.

This attack serves as a cautionary tale for emerging AI platforms: their ease of customization amplifies risks when paired with identity systems. As cloud services proliferate, organizations must prioritize robust policies to safeguard against such hybrid threats.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.