A newly disclosed phishing technique, dubbed “CoPhish,” demonstrates how attackers can blend deceptive OAuth consent requests into trusted Microsoft infrastructure by abusing Microsoft’s Copilot Studio. The method poses a significant security risk by exploiting Microsoft-hosted chatbots to distribute phishing links through legitimate domains—substantially increasing the credibility and success rate of the attack.
CoPhish Uses Microsoft Copilot Studio To Deliver OAuth-Based Phishing Attacks
By embedding malicious actions within Copilot Studio’s customizable agents, attackers trick users into granting OAuth permissions to rogue apps—effectively enabling data theft while operating within the appearance of Microsoft’s trusted environment.
Microsoft Copilot Studio allows users to create AI-driven agents—customizable chatbots which can be hosted and accessed via the Microsoft domain. These bots offer broad flexibility, including demo URLs that let users interact with them through seemingly official Microsoft web interfaces. CoPhish weaponizes this feature set to solicit fraudulent OAuth permissions from unsuspecting users under the guise of legitimate Microsoft workflows.
Attackers Abuse Login Workflows in Copilot Agents To Trigger OAuth Consent
The core of the CoPhish phishing attack lies in configuring Copilot agents with malicious behavior embedded into their “Login” topic. This topic typically defines the user’s sign-in flow with the agent but in this attack scenario, has been manipulated to initiate dangerous operations:
- Instead of guiding the user through a benign authentication process, the agent redirects them to a malicious multi-tenant application.
- The attacker sets up this external or internal app to request OAuth permissions, leveraging the standard Microsoft authentication interface.
- The customized Login button embedded in the Copilot agent connects directly to the malicious app, requesting access to the user’s session token.
Once the user authorizes the connection as prompted, the token can be secretly exfiltrated.
Session Tokens Are Leaked to Attacker-Controlled Servers
The exploitation continues with session hijacking via HTTP requests. Specifically:
- The attacker configures the malicious Copilot agent to make an HTTP request during the login sequence.
- This request sends the user’s session access token in the header, under a field named “token.”
- The destination is a Burp Collaborator URL—an attacker-controlled endpoint—which logs the incoming token for offline use.
With this token, the attacker gains unauthorized access to the user’s Microsoft 365 environment, potentially accessing emails, files, calendar events, or administrative settings based on the granted permissions.
Phishing Distribution Mimics Trustworthy Microsoft Channels
What makes CoPhish particularly dangerous is the legitimacy of the delivery infrastructure. Since the agents are hosted under official Microsoft domains, they can be convincingly distributed through:
- Phishing emails impersonating internal IT or trusted SaaS services
- Microsoft Teams messages, increasing perceived legitimacy within internal communication tools
The seamless Microsoft-branded experience reduces a user’s suspicion, even during OAuth prompts that would typically raise red flags.
Security Decisions Determine CoPhish Exposure Risk
CoPhish attacks can succeed against both privileged and non-privileged users, depending on Identity and Access Management (IAM) settings. Organizations with lax application consent policies, broad app creation rights, and insufficient monitoring are particularly vulnerable.
To reduce the risk of these token exfiltration attacks via Copilot Studio, organizations should review and adjust their OAuth governance posture.
Recommended Mitigation Strategies From Security Experts
Datadog Security Labs and Microsoft offer several actionable measures to counter possible CoPhish exploitation:
- Restrict Application Consent : Enforce administrative approval for application authorization requests, especially from unknown multi-tenant applications.
- Limit Admin Privileges : Assign elevated access (Global Admin, App Admin) only to essential personnel to reduce the blast radius of successful phishing attempts.
- Disable Default App Creation : Prevent end-users from registering or creating applications in Microsoft Entra ID (formerly Azure AD) by default.
- Monitor Chatbot Creation and App Consents : Continuously audit the creation of Copilot Studio agents and the permissions granted to connected applications. Unusual patterns should trigger escalation.
Microsoft has confirmed the issue’s legitimacy and committed to addressing it in upcoming product enhancements. In an official statement, the company noted, “We’re taking action to address [this issue] through future product updates… and are evaluating additional safeguards to help organizations prevent misuse.”
Trust In Domain Infrastructure Heightens Attack Success Rate
Unlike traditional phishing campaigns hosted on obviously suspicious domains, CoPhish increases trust through its appearance of official affiliation with Microsoft. The effectiveness of phishing emails or in-app messages relies on users’ assumption of legitimacy based on domain structure and branding.
This latest attack method underlines an important shift in the threat landscape—phishing attacks no longer require overt deception when they can instead weaponize trusted tools. Organizations should act swiftly to test for similar misconfigurations, educate users on unexpected OAuth prompts from internal-looking apps, and prepare detection rules for unusual token forwarding behaviors.
Through proactive defense measures and policy enforcement, enterprises can reduce the risk posed by increasingly sophisticated social engineering attacks like CoPhish while awaiting product-side hardening from Microsoft.
