A novel phishing method named 'CoPhish' exploits Microsoft Copilot Studio to deliver fraudulent OAuth consent prompts from legitimate Microsoft domains. Researchers at Datadog discovered that attackers can create a malicious Copilot agent and share it via an official "demo website" URL, which increases the lure's credibility. The agent is configured with a login topic that redirects users to a malicious application, tricking them into granting permissions.
This technique is particularly effective against administrators, who have the privilege to approve consent requests for unverified applications. When a victim clicks the login button, they are redirected through a standard OAuth flow, but their session token is silently captured by the attacker. Because the traffic originates from Microsoft's infrastructure, the exfiltration is hidden from the user's web logs.
Microsoft has acknowledged the issue and plans to address it in a future update, though the core reliance on social engineering remains. For now, organizations are advised to limit administrative privileges, enforce strict application consent policies, and monitor Copilot Studio agent creation. Disabling default user application creation can also help mitigate this emerging threat.
Read more...