A phishing technique named CoPhish misuses Microsoft Copilot Studio to deceive users into giving hackers access to their Microsoft Entra ID accounts. Datadog Security Labs identified a method that uses customizable AI agents on legitimate Microsoft domains to disguise OAuth consent attacks, making them seem trustworthy and avoiding user suspicion.
A new report reveals that cloud-based AI tools still have vulnerabilities, even with Microsoft’s improved consent policies.
Attackers can use Copilot Studio to build fake chatbots that trick users into giving their login details, allowing them to steal OAuth tokens for harmful activities like reading emails or accessing calendars.
Recent advancements in AI services have led to the unintended risk of phishing through user-configurable features. With more organizations using tools like Copilot, it’s crucial to closely monitor low-code platforms.
OAuth consent attacks, classified under MITRE ATT&CK technique T1528, involve luring users into approving malicious app registrations that request broad permissions to sensitive data.
Attackers in Entra ID environments create app registrations to access Microsoft Graph resources like email or OneNote, tricking victims into consenting through phishing links. Once approved, they gain a token that allows them to impersonate users and steal data or cause further harm.
Microsoft has bolstered defenses over the years, including 2020 restrictions on unverified apps and a July 2025 update setting “microsoft-user-default-recommended” as the default policy, which blocks consent for high-risk permissions like Sites.Read.All and Files.Read.All without admin approval.
However, gaps remain: unprivileged users can still approve internal apps for permissions like Mail.ReadWrite or Calendars.ReadWrite, and admins with roles such as Application Administrator can consent to any permissions on any app.
An upcoming late-October 2025 policy tweak will narrow these further but won’t fully protect privileged users.
CoPhish Attack Exploits Copilot:
In the CoPhish technique, attackers create a harmful chatbot using a trial license in their own account or a compromised one, Datadog said.
The agent’s “Login” topic, a system workflow for authentication, is backdoored with an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server after consent.
The demo website feature shares the agent via a URL like copilotstudio.microsoft.com, mimicking official Copilot services and evading basic domain checks.
The attack unfolds when a victim clicks a shared link, sees a familiar interface with a “Login” button, and is redirected to the malicious OAuth flow.
For internal targets, the app requests allowable scopes like Notes.ReadWrite; for admins, it can demand everything, including disallowed ones. Post-consent, a validation code from token.botframework.com completes the process, but the token is silently forwarded often via Microsoft’s IPs, hiding it from user traffic logs.
Attackers can then use the token for actions like sending phishing emails or data theft, all without alerting the victim. A diagram illustrates this flow, showing the agent issuing tokens post-consent for exfiltration.
To counter CoPhish, experts recommend enforcing custom consent policies beyond Microsoft’s defaults, disabling user app creation, and monitoring Entra ID audit logs for suspicious consents or Copilot modifications.
This attack serves as a cautionary tale for emerging AI platforms: their ease of customization amplifies risks when paired with identity systems. As cloud services proliferate, organizations must prioritize robust policies to safeguard against such hybrid threats.