A sophisticated phishing technique, termed CoPhish by Datadog Security Labs, has emerged, exploiting Microsoft Copilot Studio to deceive users into granting unauthorized access to their Microsoft Entra ID accounts. This method leverages customizable AI agents hosted on legitimate Microsoft domains, making traditional OAuth consent attacks appear trustworthy and thereby circumventing user suspicions.
Understanding the CoPhish Attack
The CoPhish attack represents a significant evolution in phishing strategies, particularly within cloud-based AI tools. Despite Microsoft’s ongoing efforts to enhance consent policies, this attack underscores persistent vulnerabilities. By utilizing Copilot Studio’s flexibility, attackers can craft seemingly benign chatbots that prompt users for login credentials, ultimately capturing OAuth tokens. These tokens can then be misused for malicious activities, such as reading emails or accessing calendars.
The Mechanics of OAuth Consent Attacks
OAuth consent attacks, classified under MITRE ATT&CK technique T1528, involve tricking users into approving malicious app registrations that request extensive permissions to sensitive data. In the context of Entra ID environments, attackers create app registrations seeking access to Microsoft Graph resources, such as emails or OneNote. Victims are then directed to consent via phishing links. Once consent is given, the resulting token grants the attacker impersonation rights, enabling data exfiltration or further compromise.
Microsoft’s Defensive Measures and Existing Gaps
Over the years, Microsoft has implemented several defenses to mitigate such attacks. In 2020, restrictions were placed on unverified apps, and by July 2025, the default policy was set to microsoft-user-default-recommended, blocking consent for high-risk permissions like Sites.Read.All and Files.Read.All without administrative approval. However, certain gaps remain:
– Unprivileged users can still approve internal apps for permissions like Mail.ReadWrite or Calendars.ReadWrite.
– Administrators with roles such as Application Administrator can consent to any permissions on any app.
An upcoming policy update in late October 2025 aims to further narrow these gaps but may not fully protect privileged users.
Detailed Breakdown of the CoPhish Technique
In the CoPhish method, attackers construct a malicious Copilot Studio agent—a customizable chatbot—using a trial license within their own tenant or a compromised one. The agent’s Login topic, a system workflow for authentication, is backdoored with an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server upon consent.
The demo website feature allows the agent to be shared via a URL resembling copilotstudio.microsoft.com, mimicking official Copilot services and evading basic domain checks.
Step-by-Step Execution of the Attack:
1. Initiation: The victim clicks on a shared link, leading to a familiar interface with a Login button.
2. Redirection: The victim is redirected to the malicious OAuth flow.
3. Permission Request: For internal targets, the app requests allowable scopes like Notes.ReadWrite; for administrators, it can demand extensive permissions, including those typically disallowed.
4. Token Validation: Post-consent, a validation code from token.botframework.com completes the process.
5. Token Exfiltration: The token is silently forwarded, often via Microsoft’s IPs, concealing it from user traffic logs.
Attackers can then utilize the token for actions such as sending phishing emails or data theft, all without alerting the victim.
Visual Representation of the Attack Chain:
A diagram illustrates this flow, showing the agent issuing tokens post-consent for exfiltration.
Mitigation Strategies Against CoPhish
To counteract the CoPhish attack, experts recommend the following measures:
– Enforce Custom Consent Policies: Implement policies beyond Microsoft’s defaults to restrict unauthorized access.
– Disable User App Creation: Prevent unprivileged users from creating internal apps that could be exploited.
– Monitor Entra ID Audit Logs: Regularly review logs for suspicious consents or modifications to Copilot configurations.
This attack serves as a cautionary tale for emerging AI platforms: their ease of customization amplifies risks when paired with identity systems. As cloud services proliferate, organizations must prioritize robust policies to safeguard against such hybrid threats.
