A new phishing method manipulates Copilot Studio agents on Microsoft’s trusted domains to hijack user sessions through deceptive OAuth requests.
A Dangerous Twist in Phishing: Introducing ‘CoPhish’
A new phishing technique called “CoPhish” has been uncovered by Datadog Security Labs, exposing a sophisticated method of exploiting Microsoft Copilot Studio agents to steal OAuth tokens via legitimate Microsoft domains.
The phishing risk is particularly deceptive because the malicious agents are hosted on Microsoft’s trusted domain, making them appear authentic. Though Microsoft confirms that the attack relies heavily on social engineering, it plans to address the underlying issues in future updates.
How CoPhish Works Through Copilot Studio
Copilot Studio enables users to create custom chatbots using workflow-based “topics” hosted at copilotstudio.microsoft.com. These bots can be shared publicly using the “demo website” feature, producing a Microsoft-branded URL that enhances trust.
- Attackers customize the sign-in process of the bot by configuring the Login topic to redirect users or request sensitive information.
- This legitimate-looking login flow tricks users into consenting to malicious OAuth requests, often granting access to sensitive data or admin-level actions.
OAuth Token Theft via Session Hijacking
The key objective of CoPhish is to capture OAuth session tokens from unsuspecting users.
- Attackers create a malicious multi-tenant app and embed it in the Copilot agent’s Login topic.
- When the user logs in, their token is secretly sent to an attacker-controlled Burp Collaborator URL using a token header in an HTTP request.
- The attack exploits the normal Copilot Studio authentication flow, so users receive no warning or alert after granting access.
Why This Is So Dangerous
Even administrators—who can grant high-level permissions to third-party apps—can be deceived. Datadog’s Katie Knowles notes that admins can approve external apps, even if those apps are unverified and not registered with the organization.
- Microsoft’s default security policy currently allows broad OAuth permissions, making this an attractive vector.
- Even after future updates, high-privileged roles remain vulnerable, unless stricter consent policies are applied.
Why Users Are Likely to Fall for It
The appearance of legitimacy is what makes CoPhish so effective.
- The attack uses Microsoft IP addresses and domains, so network monitoring tools won’t flag the traffic as suspicious.
- The chatbot page and login prompts are indistinguishable from official Microsoft services, except for subtle cues like the “Microsoft Power Platform” icon, which users may overlook.
Visualizing the CoPhish Attack Flow
The attack sequence involves several stages:
- Attacker creates malicious agent with OAuth consent redirection.
- Victim receives phishing message with Microsoft-hosted Copilot URL.
- Victim logs in, unknowingly authorizing the malicious app.
- OAuth token is exfiltrated silently to the attacker.
- Victim continues to interact with the bot, unaware their session has been hijacked.
Microsoft’s Response and Mitigation Steps
Microsoft acknowledges the issue and states it will harden governance and consent mechanisms in future updates.
In the meantime, organizations can protect themselves by:
- Restricting administrative privileges to reduce risk exposure.
- Limiting application creation by default for end-users.
- Enforcing strict application consent policies via Entra ID.
- Monitoring Copilot Studio agent deployments and consent events.
Datadog’s Recommendations for Defense
Datadog suggests:
- Disabling user-led app creation to control what gets deployed.
- Auditing and reviewing OAuth consents regularly.
- Using custom policies to fill in the gaps left by Microsoft’s defaults.
These steps are essential for organizations using Copilot Studio to avoid falling prey to covert attacks like CoPhish.
A new phishing method called CoPhish uses Microsoft Copilot Studio agents to trick users—especially admins—into authorizing malicious apps via trusted Microsoft domains. OAuth tokens are silently exfiltrated, and the attack is nearly undetectable. Microsoft plans future fixes, but mitigation requires proactive policy controls now.
