A phishing method discovered by Datadog researchers exploits trusted Microsoft domains to trick users into handing over access tokens via malicious Copilot Studio agents.
Researchers at Datadog Security Labs have disclosed a phishing technique called CoPhish that manipulates Microsoft Copilot Studio’s demo website feature to deliver fake OAuth consent prompts using legitimate Microsoft URLs. The attack, while reliant on social engineering, allows hackers to extract OAuth tokens without triggering user suspicion, as the interface appears to be part of Microsoft’s official services.
Microsoft has acknowledged the vulnerability and confirmed plans to address it through future product updates. Until then, the company recommends limiting administrative privileges and enforcing stronger governance policies.
Copilot Studio lets users build chatbots, called agents, using customizable workflows called “topics.” When the “demo website” feature is enabled, agents can be hosted at URLs on Microsoft’s official domain (copilotstudio.microsoft.com), making phishing pages appear authentic.
Attackers configure the agent’s sign-in topic to initiate OAuth flows and redirect users to malicious URLs. Once the user clicks the login button, a session token is harvested via a configured HTTP request to an external server. The process leverages Microsoft's own infrastructure, meaning the token delivery appears to originate from Microsoft IP addresses, bypassing typical red flags in network traffic.
While a pending Microsoft policy change will limit OAuth access scopes for low-privilege users, Datadog’s Katie Knowles warns that administrators can still be exploited even after the update, since the change does not apply to high-privilege roles. Admins who approve permissions for unverified apps may unknowingly authorize malicious actors.
A Microsoft spokesperson told BleepingComputer, “We’ve investigated this report and are taking action to address it through future product updates… we remain committed to hardening our governance and consent experiences.”
Datadog urges organizations to adopt stronger consent policies, disable default user app creation, and closely monitor agent creation and consent events through Entra ID and Microsoft Copilot Studio logs.
According to CyberPress, the disclosure “serves as a critical reminder that legitimate Microsoft domains and services require the same security scrutiny as external platforms.” As organizations expand their use of cloud applications, CyberPress warns that “vigilant oversight of consent policies and user application creation capabilities” is necessary to prevent unauthorized token theft and data exfiltration, risks that increasingly blur the line between trusted platforms and active attack surfaces.
OAuth tokens grant session-level access to apps and services without needing usernames or passwords, making them highly valuable for persistent, covert access.
The phishing pages are hosted on Microsoft’s official domain and IP addresses, so traffic appears legitimate and is less likely to raise alarms in security logs.
Admins should review Copilot Studio agent creation logs and cross-reference with Entra ID application consent events to spot anomalies or unauthorized apps.
Enforcing strong application consent policies, restricting app registration, and limiting admin roles can greatly reduce exposure to CoPhish-style attacks.
The planned updates will limit some attack vectors, especially for low-privilege users, but will not prevent attacks targeting administrators or using externally registered apps.