CoPhish Attack Exploits Microsoft Copilot Studio to Steal OAuth Tokens

Sophisticated phishing technique leverages Microsoft Copilot Studio’s customizable AI agents to trick users into granting unauthorized access to Microsoft Entra ID accounts, bypassing traditional security controls

October 27, 2025 – AI-Powered Phishing Threat

New CoPhish attack exploits Microsoft Copilot Studio to steal OAuth tokens

Malicious AI agents hosted on legitimate Microsoft domains bypass user suspicions

Attackers gain unauthorized access to Microsoft Entra ID accounts

As of October 27, 2025, cybersecurity researchers have identified a sophisticated phishing technique called CoPhish that exploits Microsoft Copilot Studio to trick users into granting attackers unauthorized access to their Microsoft Entra ID accounts. Dubbed by Datadog Security Labs, this method uses customizable AI agents hosted on legitimate Microsoft domains to wrap traditional OAuth consent attacks, making them appear trustworthy and bypassing user suspicions.

This alarming development highlights ongoing vulnerabilities in cloud-based AI tools despite Microsoft’s efforts to tighten consent policies. By leveraging Copilot Studio’s flexibility, attackers can create seemingly innocent chatbots that prompt users for login credentials, ultimately stealing OAuth tokens for malicious actions like reading emails or accessing calendars.

KEY FACTS

WHAT HAPPENED:

• CoPhish attack technique: Sophisticated phishing method exploiting Microsoft Copilot Studio
• OAuth token theft: Attackers gain unauthorized access to Microsoft Entra ID accounts
• Legitimate domain abuse: Malicious AI agents hosted on official Microsoft domains
• AI-powered deception: Customizable chatbots appear trustworthy to bypass user suspicions
• MITRE ATT&CK technique: Classified under T1528 for OAuth consent attacks
• Datadog Security Labs discovery: Research team identified and documented the attack method
• Microsoft Graph access: Attackers can access email, OneNote, and other sensitive data
• Silent token exfiltration: OAuth tokens forwarded via Microsoft’s IPs, hiding from user traffic logs

WHO’S AFFECTED:

• Microsoft Entra ID users: Organizations using Microsoft’s identity and access management
• Microsoft 365 subscribers: Users with access to email, calendars, and collaboration tools
• Enterprise organizations: Companies relying on Microsoft’s cloud services
• Government agencies: Federal and state agencies using Microsoft Entra ID
• Educational institutions: Universities and schools with Microsoft 365 deployments
• Healthcare organizations: Medical facilities using Microsoft’s cloud platform
• Financial institutions: Banks and financial services using Microsoft Entra ID
• Application administrators: Users with elevated privileges in Microsoft environments

IMMEDIATE IMPACT:

• Unauthorized data access: Attackers can read emails, access calendars, and view sensitive documents
• Account impersonation: Stolen OAuth tokens enable attackers to act as legitimate users
• Data exfiltration: Sensitive information can be stolen without user knowledge
• Phishing email distribution: Compromised accounts used to send malicious emails
• Calendar manipulation: Attackers can modify or access calendar information
• OneNote access: Personal and corporate notes can be compromised
• Persistent access: OAuth tokens provide ongoing access until revoked
• Privilege escalation: Admin accounts can grant broader permissions to malicious apps

TABLE OF CONTENTS

• Breaking / Latest Update
• Attack Details & Technical Analysis
• CoPhish Exploitation Technique
• Major Incidents & Case Studies
• Federal Response & Warnings
• Expert Analysis & Reports
• Future Outlook & Impact
• Critical Recommendations

BREAKING / LATEST UPDATE

In a report released on October 27, 2025, Datadog Security Labs confirmed the identification of a sophisticated phishing technique called CoPhish that exploits Microsoft Copilot Studio to trick users into granting attackers unauthorized access to their Microsoft Entra ID accounts. This method represents a significant evolution in AI-powered phishing attacks, leveraging legitimate Microsoft infrastructure to bypass traditional security controls.

The attack technique uses customizable AI agents hosted on legitimate Microsoft domains, specifically copilotstudio.microsoft.com, to create seemingly innocent chatbots that prompt users for login credentials. The malicious agents exploit Copilot Studio’s “Login” topic system workflow, which is backdoored with an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server after consent.

Significantly, the attack unfolds when victims click shared links and see a familiar interface with a “Login” button, leading to redirection to the malicious OAuth flow. For internal targets, the app requests allowable scopes like Notes.ReadWrite, while for administrators, it can demand everything, including disallowed permissions.

Post-consent, a validation code from token.botframework.com completes the process, but the token is silently forwarded often via Microsoft’s IPs, hiding the malicious activity from user traffic logs. Attackers can then use the stolen tokens for actions like sending phishing emails or data theft without alerting the victim.

Figure: The CoPhish attack flow, detailing how malicious Copilot Studio agents exploit user interaction and Microsoft Entra ID to steal OAuth tokens

ATTACK DETAILS & TECHNICAL ANALYSIS

The CoPhish attack represents a sophisticated evolution of traditional OAuth consent attacks, classified under MITRE ATT&CK technique T1528. In Microsoft Entra ID environments, attackers create app registrations seeking access to Microsoft Graph resources, such as email or OneNote, then direct victims to consent via phishing links.

Once approved, the resulting token grants the attacker impersonation rights, enabling data exfiltration or further compromise. The attack leverages Copilot Studio’s flexibility, where attackers build malicious agents using trial licenses in their own tenant or a compromised one.

Technical Attack Details:

• Attack Vector: AI-powered phishing through Microsoft Copilot Studio
• MITRE ATT&CK Technique: T1528 – OAuth consent attacks
• Target Platform: Microsoft Entra ID (formerly Azure Active Directory)
• Attack Surface: Microsoft Graph API permissions
• Domain Abuse: Legitimate Microsoft domains (copilotstudio.microsoft.com)
• Token Exfiltration: HTTP requests to attacker-controlled servers
• Stealth Mechanism: Traffic routed through Microsoft’s IP addresses
• Validation Process: token.botframework.com completion codes

Microsoft has bolstered defenses over the years, including 2020 restrictions on unverified apps and a July 2025 update setting “microsoft-user-default-recommended” as the default policy, which blocks consent for high-risk permissions like Sites.Read.All and Files.Read.All without admin approval.

However, significant gaps remain: unprivileged users can still approve internal apps for permissions like Mail.ReadWrite or Calendars.ReadWrite, and admins with roles such as Application Administrator can consent to any permissions on any app. An upcoming late-October 2025 policy tweak will narrow these further but won’t fully protect privileged users.

COPHISH EXPLOITATION TECHNIQUE

The CoPhish technique exploits Microsoft Copilot Studio’s customizable AI agent capabilities to create sophisticated phishing attacks. Attackers build malicious Copilot Studio agents using trial licenses in their own tenant or a compromised one, creating chatbots that appear legitimate and trustworthy.

The attack chain begins when attackers create a malicious agent with a backdoored “Login” topic system workflow. This workflow includes an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server after the user provides consent. The demo website feature shares the agent via a URL like copilotstudio.microsoft.com, mimicking official Copilot services and evading basic domain checks.

When victims click shared links, they see a familiar interface with a “Login” button and are redirected to the malicious OAuth flow. The attack exploits the trust users place in Microsoft’s official domains, making the phishing attempt appear legitimate and reducing user suspicion.

For internal targets, the malicious app requests allowable scopes like Notes.ReadWrite, while for administrators, it can demand everything, including disallowed permissions. Post-consent, a validation code from token.botframework.com completes the process, but the token is silently forwarded often via Microsoft’s IPs, hiding the malicious activity from user traffic logs.

Attackers can then use the stolen OAuth tokens for various malicious actions, including sending phishing emails, accessing sensitive data, or performing data theft, all without alerting the victim to the compromise.

Figure: Microsoft Copilot Studio interface demonstrating how malicious AI agents can exploit legitimate Microsoft domains for OAuth token theft

MAJOR INCIDENTS & CASE STUDIES

While specific incidents involving the CoPhish attack have not been publicly disclosed, this technique represents a significant threat to organizations using Microsoft’s cloud services. The attack method highlights the ongoing challenges in securing AI-powered platforms and the potential for legitimate tools to be weaponized by threat actors.

Historical OAuth consent attacks have been used by various threat groups, including state-sponsored actors and cybercriminal organizations. The evolution to AI-powered attacks through platforms like Copilot Studio represents a concerning trend in the sophistication of phishing techniques.

The CoPhish attack serves as a cautionary tale for emerging AI platforms, demonstrating how their ease of customization can amplify risks when paired with identity systems. As cloud services proliferate, organizations must prioritize robust policies to safeguard against such hybrid threats.

FEDERAL RESPONSE & WARNINGS

While no specific federal directive has been issued for the CoPhish attack, cybersecurity agencies emphasize the importance of implementing robust OAuth consent policies and monitoring for suspicious activities in Microsoft Entra ID environments. The Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations review their Microsoft Entra ID configurations and implement additional security controls.

Recommended security measures include:

• Enforce custom consent policies: Implement policies beyond Microsoft’s default settings
• Disable user app creation: Prevent users from creating applications without approval
• Monitor Entra ID audit logs: Track suspicious consents and Copilot modifications
• Review app permissions: Regularly audit application permissions and access rights
• Implement conditional access: Use Microsoft’s conditional access policies for additional protection
• Enable security defaults: Activate Microsoft’s security defaults for enhanced protection
• Monitor OAuth flows: Track and analyze OAuth consent patterns for anomalies
• Regular security assessments: Conduct periodic reviews of Microsoft Entra ID configurations

Federal agencies emphasize that organizations should implement defense-in-depth strategies to protect against AI-powered phishing attacks and OAuth consent abuse.

EXPERT OPINIONS AND OFFICIAL REPORTS

According to Datadog Security Labs researchers, the CoPhish attack represents a significant evolution in phishing techniques, leveraging AI platforms to create more convincing and effective attacks. The use of legitimate Microsoft domains makes these attacks particularly dangerous, as they bypass traditional domain-based security controls.

Microsoft security experts acknowledge the ongoing challenges in securing AI-powered platforms while maintaining usability. The company has implemented various security measures over the years, but the rapid evolution of AI services creates new attack vectors that require continuous attention.

Industry professionals emphasize that the CoPhish attack highlights the need for organizations to implement comprehensive security policies that go beyond default settings. The attack demonstrates how legitimate tools can be weaponized when proper security controls are not in place.

FUTURE OUTLOOK AND IMPACT ON US BUSINESSES

Security experts predict that AI-powered phishing attacks will continue to evolve as threat actors seek new methods to exploit cloud-based AI platforms. The discovery of the CoPhish attack demonstrates the ongoing challenges in securing AI services while maintaining their productivity benefits.

Emerging Threats (Next 6-12 Months):

• AI-powered phishing evolution: More sophisticated attacks leveraging AI platforms
• OAuth consent abuse: Increased exploitation of OAuth consent mechanisms
• Cloud platform targeting: Focus on Microsoft and other cloud service providers
• Hybrid attack techniques: Combination of AI and traditional attack methods

Industry Response:

Microsoft and other cloud service providers are developing enhanced security controls to protect against AI-powered attacks. The company is implementing additional consent policies and monitoring capabilities to detect and prevent malicious OAuth flows.

Long-Term Implications (12-24 Months):

• Enhanced AI security: Development of security controls specifically for AI platforms
• Regulatory requirements: Potential regulations requiring enhanced AI security measures
• Technology evolution: Development of more secure AI platform architectures
• Threat intelligence sharing: Increased collaboration on AI security threats

CRITICAL RECOMMENDATIONS

For US Businesses:

Immediate Actions (Next 30 Days):

• Review OAuth consent policies: Implement custom consent policies beyond Microsoft defaults
• Disable user app creation: Prevent users from creating applications without approval
• Monitor Entra ID audit logs: Track suspicious consents and Copilot modifications
• Review app permissions: Audit all application permissions and access rights
• Implement conditional access: Use Microsoft’s conditional access policies
• Enable security defaults: Activate Microsoft’s security defaults
• User awareness training: Educate users about AI-powered phishing attacks
• Incident response planning: Develop procedures for responding to OAuth attacks

For Individual Users:

• Verify app permissions: Always review requested permissions before granting access
• Check app legitimacy: Verify that applications requesting access are legitimate
• Report suspicious requests: Report unusual permission requests to IT security teams
• Use strong authentication: Enable multi-factor authentication for all accounts
• Monitor account activity: Regularly review account activity and permissions

For Government Contractors and Critical Infrastructure:

• Enhanced monitoring: Implement advanced monitoring for OAuth consent activities
• Strict consent policies: Implement the most restrictive consent policies possible
• Regular security assessments: Conduct comprehensive Microsoft Entra ID security evaluations
• Incident reporting: Establish procedures for reporting OAuth security incidents
• Collaboration: Share threat intelligence with government agencies and industry partners
• Zero-trust implementation: Implement zero-trust security principles for cloud access

RESOURCES AND REPORTING

Emergency Response Resources:

• Microsoft Security Response Center: msrc.microsoft.com | Security: secure@microsoft.com
• Datadog Security Labs: datadoghq.com | Security Research: security@datadoghq.com
• Microsoft Entra ID Security: docs.microsoft.com/entra

RELATED ARTICLES

• BIND 9 Vulnerability CVE-2025-40778 Affects 706,000+ Resolver Instances
• Caminho Malware Uses LSB Steganography to Hide .NET Payloads in Images

CONCLUSION

The CoPhish attack represents a significant evolution in phishing techniques, leveraging Microsoft Copilot Studio’s AI capabilities to create sophisticated attacks that bypass traditional security controls. By exploiting legitimate Microsoft domains and OAuth consent mechanisms, attackers can gain unauthorized access to Microsoft Entra ID accounts and sensitive data.

This attack highlights the ongoing challenges in securing AI-powered platforms while maintaining their productivity benefits. The use of legitimate Microsoft infrastructure makes these attacks particularly dangerous, as they can bypass traditional domain-based security controls and user suspicions.

Organizations must implement comprehensive security policies that go beyond Microsoft’s default settings, including custom consent policies, user app creation restrictions, and enhanced monitoring of OAuth consent activities. The CoPhish attack serves as a critical reminder of the need for continuous vigilance in cloud security and the importance of implementing defense-in-depth strategies.

Stay informed about AI-powered security threats. Subscribe to CyberUpdates365 for real-time alerts about AI security threats, OAuth attacks, and expert guidance on protecting your organization.

Stay Protected

Subscribe to CyberUpdates365 for real-time cybersecurity alerts and expert guidance on protecting your organization from AI-powered security threats.

Expert analysis • Breaking alerts • Security recommendations

Updated on October 27, 2025 by CyberUpdates365 Editorial Team

This is a developing story. CyberUpdates365 will provide updates as additional information about the CoPhish attack becomes available.