New CoPhish Attack Steals OAuth Tokens via Copilot Studio Agents
Category:Phishing / Cloud Security
Researchers at Datadog Security Labs discovered a new phishing method dubbed 'CoPhish' that abuses Microsoft Copilot Studio agents to deliver malicious OAuth consent requests. The attack leverages legitimate Microsoft domains to deceive users into approving fraudulent app permissions, enabling token theft and potential account takeover. Microsoft confirmed the issue and is planning updates to address the risk.
CORTEX Protocol Intelligence Assessment
Business Impact: This campaign targets enterprises using Microsoft Copilot services, exposing OAuth governance gaps that can enable unauthorized access to corporate data. Technical Context: Attackers configure malicious Copilot Studio agents to redirect OAuth tokens to external servers, bypassing user suspicion via trusted Microsoft domains.
Strategic Intelligence Guidance
- Restrict admin consent and enforce app verification policies in Entra ID.
- Disable default user app registration for non-admins.
- Continuously monitor Copilot Studio agent creation and OAuth events.
- Educate users on OAuth phishing indicators and permissions review.
Vendors
Threats
Targets
Intelligence Source: New CoPhish attack steals OAuth tokens via Copilot Studio agents | Oct 26, 2025