A classy phishing approach referred to as CoPhish exploits Microsoft Copilot Studio to trick customers into granting attackers unauthorized entry to their Microsoft Entra ID accounts.
Dubbed by Datadog Safety Labs, this methodology makes use of customizable AI brokers hosted on professional Microsoft domains to wrap conventional OAuth consent assaults, making them seem reliable and bypassing consumer suspicions.
The assault, detailed in a latest report, highlights ongoing vulnerabilities in cloud-based AI instruments regardless of Microsoft’s efforts to tighten consent insurance policies.
By leveraging Copilot Studio’s flexibility, attackers can create seemingly harmless chatbots that immediate customers for login credentials, in the end stealing OAuth tokens for malicious actions like studying emails or accessing calendars.
This growth comes amid fast evolution in AI companies, the place user-configurable options meant for productiveness can inadvertently allow phishing. As organizations more and more undertake instruments like Copilot, such exploits underscore the necessity for vigilant oversight of low-code platforms.
OAuth consent assaults, categorized beneath MITRE ATT&CK approach T1528, contain luring customers into approving malicious app registrations that request broad permissions to delicate knowledge.
In Entra ID environments, attackers create app registrations looking for entry to Microsoft Graph sources, akin to e mail or OneNote, then direct victims to consent through phishing hyperlinks. As soon as accredited, the ensuing token grants the attacker impersonation rights, enabling knowledge exfiltration or additional compromise.
Microsoft has bolstered defenses over time, together with 2020 restrictions on unverified apps and a July 2025 replace setting “microsoft-user-default-recommended” because the default coverage, which blocks consent for high-risk permissions like Websites.Learn.All and Information.Learn.All with out admin approval.
Nonetheless, gaps stay: unprivileged customers can nonetheless approve inner apps for permissions like Mail.ReadWrite or Calendars.ReadWrite, and admins with roles akin to Utility Administrator can consent to any permissions on any app.
An upcoming late-October 2025 coverage tweak will slim these additional however gained’t totally defend privileged customers.
CoPhish Assault Exploits Copilot
Within the CoPhish approach, attackers construct a malicious Copilot Studio agent, a customizable chatbot utilizing a trial license in their very own tenant or a compromised one, Datadog stated.
The agent’s “Login” matter, a system workflow for authentication, is backdoored with an HTTP request that exfiltrates the consumer’s OAuth token to an attacker-controlled server after consent.
The demo web site function shares the agent through a URL like copilotstudio.microsoft.com, mimicking official Copilot companies and evading fundamental area checks.
malicious CopilotStudio web page
The assault unfolds when a sufferer clicks a shared hyperlink, sees a well-known interface with a “Login” button, and is redirected to the malicious OAuth stream.
For inner targets, the app requests allowable scopes like Notes.ReadWrite; for admins, it will possibly demand every little thing, together with disallowed ones. Put up-consent, a validation code from token.botframework.com completes the method, however the token is silently forwarded typically through Microsoft’s IPs, hiding it from consumer site visitors logs.
Attackers can then use the token for actions like sending phishing emails or knowledge theft, all with out alerting the sufferer. A diagram illustrates this stream, exhibiting the agent issuing tokens post-consent for exfiltration.
Assault Chain
To counter CoPhish, consultants advocate implementing customized consent insurance policies past Microsoft’s defaults, disabling consumer app creation, and monitoring Entra ID audit logs for suspicious consents or Copilot modifications.
This assault serves as a cautionary story for rising AI platforms: their ease of customization amplifies dangers when paired with id techniques. As cloud companies proliferate, organizations should prioritize strong insurance policies to safeguard in opposition to such hybrid threats.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
