New 'CoPhish' technique abuses Microsoft Copilot Studio to steal OAuth tokens

A phishing method discovered by Datadog researchers exploits trusted Microsoft domains to trick users into handing over access tokens via malicious Copilot Studio agents.

What happened

Researchers at Datadog Security Labs have disclosed a phishing technique called CoPhish that manipulates Microsoft Copilot Studio’s demo website feature to deliver fake OAuth consent prompts using legitimate Microsoft URLs. The attack, while reliant on social engineering, allows hackers to extract OAuth tokens without triggering user suspicion, as the interface appears to be part of Microsoft’s official services.

Microsoft has acknowledged the vulnerability and confirmed plans to address it through future product updates. Until then, the company recommends limiting administrative privileges and enforcing stronger governance policies.

Going deeper

Copilot Studio lets users build chatbots, called agents, using customizable workflows called “topics.” When the “demo website” feature is enabled, agents can be hosted at URLs on Microsoft’s official domain (copilotstudio.microsoft.com), making phishing pages appear authentic.

Attackers configure the agent’s sign-in topic to initiate OAuth flows and redirect users to malicious URLs. Once the user clicks the login button, a session token is harvested via a configured HTTP request to an external server. The process leverages Microsoft's own infrastructure, meaning the token delivery appears to originate from Microsoft IP addresses, bypassing typical red flags in network traffic.

While a pending Microsoft policy change will limit OAuth access scopes for low-privilege users, Datadog’s Katie Knowles warns that administrators can still be exploited even after the update, since the change does not apply to high-privilege roles. Admins who approve permissions for unverified apps may unknowingly authorize malicious actors.

What was said

A Microsoft spokesperson told BleepingComputer, “We’ve investigated this report and are taking action to address it through future product updates… we remain committed to hardening our governance and consent experiences.”

Datadog urges organizations to adopt stronger consent policies, disable default user app creation, and closely monitor agent creation and consent events through Entra ID and Microsoft Copilot Studio logs.

The big picture

According to CyberPress, the disclosure “serves as a critical reminder that legitimate Microsoft domains and services require the same security scrutiny as external platforms.” As organizations expand their use of cloud applications, CyberPress warns that “vigilant oversight of consent policies and user application creation capabilities” is necessary to prevent unauthorized token theft and data exfiltration, risks that increasingly blur the line between trusted platforms and active attack surfaces.

FAQs

Why are OAuth tokens a target in phishing campaigns?

OAuth tokens grant session-level access to apps and services without needing usernames or passwords, making them highly valuable for persistent, covert access.

What makes CoPhish difficult to detect?

The phishing pages are hosted on Microsoft’s official domain and IP addresses, so traffic appears legitimate and is less likely to raise alarms in security logs.

How can organizations monitor for malicious Copilot agents?

Admins should review Copilot Studio agent creation logs and cross-reference with Entra ID application consent events to spot anomalies or unauthorized apps.

What safeguards can reduce the impact of such attacks?

Enforcing strong application consent policies, restricting app registration, and limiting admin roles can greatly reduce exposure to CoPhish-style attacks.

Will future Microsoft updates fully stop CoPhish?

The planned updates will limit some attack vectors, especially for low-privilege users, but will not prevent attacks targeting administrators or using externally registered apps.