Executive Summary

A sophisticated new phishing campaign, known as CoPhish, has emerged, exploiting the integration capabilities of Microsoft Copilot Studio to steal OAuth tokens from unsuspecting users. By leveraging the trusted Microsoft domain and the low-code agent creation features of Copilot Studio, adversaries are able to craft highly convincing phishing workflows that redirect users to malicious OAuth consent pages. Once a user grants consent, their OAuth tokens are exfiltrated to attacker-controlled infrastructure, enabling unauthorized access to sensitive resources such as email, chat, calendar, and notes within the Microsoft 365 ecosystem. This attack vector is particularly insidious due to its use of legitimate Microsoft infrastructure, which can bypass traditional phishing detection mechanisms and user skepticism. The CoPhish technique has been validated in the wild, with proof-of-concept demonstrations and active discussion across the cybersecurity community. Organizations using Microsoft Copilot Studio or relying on OAuth-based authentication for Microsoft 365 services are at elevated risk and should take immediate action to review consent policies, monitor for suspicious agent activity, and educate users about the dangers of OAuth consent phishing.

Threat Actor Profile

Attribution for the CoPhish campaign remains unconfirmed as of this report. The attack methodology aligns with tactics, techniques, and procedures (TTPs) commonly associated with financially motivated cybercriminals, business email compromise (BEC) operators, and advanced persistent threat (APT) groups specializing in credential theft and cloud resource exploitation. The use of low-code platforms and OAuth token theft is consistent with the MITRE ATT&CK technique T1528: Steal Application Access Token. The campaign’s sophistication, including the abuse of trusted Microsoft domains and the automation of token exfiltration, suggests a threat actor with a strong understanding of cloud identity, OAuth flows, and social engineering. While no specific APT group has claimed responsibility, the attack’s versatility makes it suitable for a wide range of threat actors, from opportunistic phishers to state-sponsored espionage groups.

Technical Analysis of Malware/TTPs

The CoPhish attack leverages the agent and topic customization features of Microsoft Copilot Studio (copilotstudio.microsoft.com). The adversary creates a malicious Copilot Studio agent, configuring its “Login” button to redirect users to a fraudulent OAuth consent page. This page requests permissions such as Mail.ReadWrite, Mail.Send, Chat.ReadWrite, Calendars.ReadWrite, and Notes.ReadWrite. Upon user consent, the agent’s workflow is programmed to exfiltrate the resulting OAuth token to an attacker-controlled endpoint, often via an HTTP request to a service like Burp Collaborator or a custom webhook.

The technical flow is as follows: the attacker creates a Copilot Studio agent in their own or a compromised Microsoft tenant, modifies the sign-in topic to include a token exfiltration step, and distributes a link to the agent hosted on a legitimate Microsoft domain (e.g., https://copilotstudio.microsoft.com/environments/Default-{tenant-id}/bots/Default_{bot-name}/canvas). When the victim interacts with the agent and clicks “Login,” they are redirected to a malicious OAuth consent page. If the victim grants consent, the agent’s workflow captures the OAuth token and transmits it to the attacker’s infrastructure. The attacker can then use this token to access Microsoft Graph resources, impersonate the user, and perform actions such as reading and sending emails, accessing chat messages, and manipulating calendar events.

This attack is particularly dangerous because it does not rely on exploiting a software vulnerability, but rather abuses legitimate platform features and user trust in Microsoft domains. The use of OAuth consent phishing allows attackers to bypass multi-factor authentication (MFA) and gain persistent access until the token is revoked or expires.

Exploitation in the Wild

The CoPhish technique has been publicly demonstrated by Datadog Security Labs, which published a comprehensive technical writeup and proof-of-concept code. The attack has been discussed extensively on platforms such as Reddit (notably in the r/InfoSecNews community), X (formerly Twitter), and covered by security news outlets including BleepingComputer. As of this report, there are no confirmed incidents of large-scale exploitation or attribution to a specific threat group, but the attack’s low barrier to entry and high success rate make it a significant concern for organizations of all sizes.

Security researchers have observed that the attack is effective against both unprivileged internal users and high-privilege administrators. In the case of administrators, the risk is amplified, as they may have the ability to grant tenant-wide consent to malicious applications, potentially exposing the entire organization’s data. The attack is also notable for its ability to evade traditional email and web filtering solutions, as the phishing links are hosted on legitimate Microsoft infrastructure.

Victimology and Targeting

The primary targets of the CoPhish attack are organizations and users within the Microsoft 365 ecosystem, particularly those utilizing Microsoft Copilot Studio for workflow automation and chatbot development. Both regular users and administrators are at risk, with administrators representing a higher-value target due to their ability to grant broad application permissions. The attack is tenant-agnostic, meaning it can be launched from any Microsoft tenant, including those compromised by the attacker or created specifically for malicious purposes.

Victims are typically lured via social engineering, such as phishing emails, instant messages, or internal communications that reference the Copilot Studio agent. The use of a legitimate Microsoft domain in the phishing link increases the likelihood of user trust and successful exploitation. Organizations with lax application consent policies, insufficient monitoring of agent activity, or inadequate user education are particularly vulnerable.

Mitigation and Countermeasures

To defend against the CoPhish attack, organizations should implement a multi-layered approach combining technical controls, policy enforcement, and user awareness. Strict application consent policies should be enforced in Microsoft Entra ID (formerly Azure Active Directory), limiting the ability of users to grant consent to unverified or third-party applications. The default ability for users to register new applications should be disabled unless explicitly required. Security teams should monitor for the creation and modification of Copilot Studio agents, with particular attention to changes in sign-in topics and outbound HTTP requests to unknown endpoints.

Audit logs in Entra ID, Microsoft 365, and PowerPlatform should be regularly reviewed for events such as “Consent to application,” “BotCreate,” and “BotComponentUpdate,” especially where the *.topic.Signin property is modified. Automated detection rules can be established to flag suspicious agent activity or anomalous OAuth consent events, particularly for high-privilege accounts.

User education is critical. Employees and administrators should be trained to recognize OAuth consent phishing attempts, understand the risks of granting permissions to unfamiliar applications, and report suspicious activity promptly. Regular reviews of permissions granted to applications should be conducted, and unnecessary or excessive permissions should be revoked.

In the event of suspected compromise, affected OAuth tokens should be revoked immediately, and a thorough investigation should be conducted to identify the scope of access and potential data exfiltration.

References

Datadog Security Labs:CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishingBleepingComputer:New CoPhish attack steals OAuth tokens via Copilot Studio agentsReddit:r/InfoSecNews threadMicrosoft OAuth Consent Documentation:Configure how users consent to applicationsMITRE ATT&CK:T1528: Steal Application Access Token

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to identify emerging threats, enforce best practices, and ensure compliance with industry standards. By leveraging Rescana’s platform, organizations can proactively manage their cyber risk posture and respond effectively to evolving threats in the modern digital landscape.

For questions or further information, we are happy to assist at ops@rescana.com.