CoPhish Attack Exploits Microsoft Copilot Studio to Hijack OAuth Tokens

Security researchers at Datadog have uncovered a sophisticated phishing campaign—dubbed CoPhish—that weaponizes Microsoft Copilot Studio agents to hijack OAuth tokens through fraudulent consent flows. This technique leverages Microsoft's own trusted domains (copilotstudio.microsoft.com) to bypass conventional security checks, posing severe risks to enterprise identity systems. Attackers craft malicious chatbots that redirect users to fake OAuth consent screens, harvesting session tokens to compromise accounts with minimal trace.

How the Attack Operates

CoPhish exploits Copilot Studio's customizable "sign-in topic" workflows, which handle authentication for chatbot interactions. Threat actors configure these workflows to:
1. Redirect victims to malicious OAuth applications disguised as legitimate services.
2. Capture session tokens via HTTP requests to attacker-controlled endpoints (e.g., Burp Collaborator).
3. Bypass detection by hosting phishing pages on Microsoft's domain, making URLs appear trustworthy.

As Katie Knowles, Senior Security Researcher at Datadog, explains:

"An attacker can customize the Login button to target application admins—even those outside their environment—by manipulating consent workflows. The Microsoft-hosted page masks the threat, leaving only subtle clues like the 'Power Platform' icon as potential red flags."

Targeting Privileged Accounts

The attack disproportionately threatens administrators, who can approve high-risk permissions for unverified applications. Even after Microsoft's planned mitigations—which will restrict default permissions—external attackers can still target Application Administrators. Once compromised, stolen tokens enable silent account takeover:
- Traffic originates from Microsoft IPs, evading network monitoring.
- Victims receive no alerts about token exfiltration.
- Attackers gain persistent access to email, calendars, and collaboration tools.

Mitigation Strategies

Microsoft confirmed plans to address the vulnerability but emphasized social engineering remains a core challenge. For immediate defense, organizations should:
- Restrict admin privileges using least-access principles.
- Disable user application creation in Entra ID (Azure AD).
- Audit OAuth consent policies and enforce strict governance rules.
- Monitor Copilot Studio agent deployments for anomalous activity.

The Bigger Picture

CoPhish highlights the double-edged sword of extensible AI platforms: While Copilot Studio democratizes workflow automation, its undocumented features create fertile ground for abuse. As enterprises rush to adopt AI-augmented tools, this attack underscores the non-negotiable need for zero-trust design—where no domain or service is inherently trusted. Until platforms bake security into their extensibility layers, defenders must assume that every new capability could be tomorrow's attack vector.

Source: BleepingComputer | Research: Datadog Security Labs