Experts warn Microsoft Copilot Studio agents are being hijacked to steal OAuth tokens

News
By published

Microsoft acknowledges the risk, so users should be cautious

Windows 11 Copilot App AI Agents
(Image credit: Microsoft)
  • CoPhish uses Copilot Studio agents to phish OAuth tokens via fake login flows
  • Attackers exploit Microsoft domains to appear legitimate and access sensitive user data
  • Mitigations include restricting app consent, enforcing MFA, and monitoring OAuth activity

Security researchers from Datadog Security Labs are warning about a new phishing technique weaponizing Microsoft Copilot Studio agents to steal OAuth tokens and grants attackers access to sensitive information in emails, chats, calendars, and more.

The technique is named CoPhish, and while Microsoft confirmed it is a social engineering technique, it acknowledged it and said it will work on addressing it.

Here is how it works: an attacker can build, or share, a Copilot Studio agent (called “Topic”), whose user interface includes a “Login” or consent flow. If a victim clicks on the button, the flow will request Microsoft Entra/OAuth permissions. By approving the request, the victim essentially hands over OAuth tokens to attackers, which can then use them to access mail, chat, calendar, files, and automation capabilities inside the victim’s tenant.

Addressing through product updates

The technique is particularly dangerous, Datadog stressed, because the agents are using legitimate Microsoft domains (copilotstudio.microsoft.com). This, together with the agent UI, could make the victim believe its authenticity, and lower their guard.

Microsoft has acknowledged the potential for abuse and confirmed it would be working on addressing it: "We've investigated this report and are taking action to address it through future product updates," a spokesperson said.

"While this technique relies on social engineering, we remain committed to hardening our governance and consent experiences and are evaluating additional safeguards to help organizations prevent misuse."

If you are worried about being targeted this way, there are immediate mitigations to apply which can reduce risk. That includes restricting third-party app consent (requires admin consent), enforcing conditional access and MFA, blocking (or closely reviewing) Copilot Studio shared and published agents, monitoring unusual app registrations and granted OAuth tokens, and revoking suspicious tokens and apps.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.