The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

Copilot Studio Phishing Alert: New CoPhish Attack Exposed

ByRadia
Published27 Oct, 2025
Copilot Studio Phishing Alert: New CoPhish Attack Exposed
Radia27 Oct, 2025

Imagine logging into a familiar service one you trust, on a domain you recognize and handing over access to your email, files, or calendar without realizing it. That’s exactly what’s happening with the latest attack vector targeting Copilot Studio: a technique dubbed CoPhish. In this article we’ll unpack how this attack works, why the threat is acute, and what organisations and users can do to secure their environments against token theft and malicious agents.

When companies adopt tools like Copilot Studio to boost productivity and automation, they often assume these platforms are safe by virtue of the vendor brand. But as the security researchers at Datadog Security Labs recently discovered, that very assumption can be weaponised.

In the so-called CoPhish attack, threat actors exploit Copilot Studio’s low-code agent framework to carry out OAuth consent phishing leading to full token hijacking and data exfiltration. In other words: trust in Copilot Studio becomes the attacker’s advantage.

Why does this matter? Because OAuth tokens are like keys to a castle. Once stolen, attackers can act as the user reading emails, accessing files, sending on behalf, or creating persistence. That puts organisations’ identity systems, cloud data and trust frameworks at risk. Below we’ll walk through how Copilot Studio becomes the conduit for OAuth token theft, what this means for enterprise security, and what you can do to defend your estate.

How the CoPhish Attack Works in Copilot Studio

What is OAuth consent phishing?

At its heart, OAuth consent phishing is a trick where the attacker gets you to grant permissions to an app you didn’t fully understand. Under the model of Microsoft Entra ID or similar identity systems, a malicious app asks “Do you consent to share X, Y, Z permissions?” If you say yes, you end up issuing an access token. That token gives the attacker the same rights the app holds so if it asked for Mail.ReadWrite, it can read and send your mail

The role of Copilot Studio agents

Copilot Studio allows creation of chat-bots (or “agents”) built on a bona-fide Microsoft domain (e.g., copilotstudio.microsoft.com). The user interface feels legitimate. The key attack vector: an attacker sets up a malicious agent and configures its “Login” topic to redirect the user’s consent to a malicious OAuth application and then quietly exfiltrate the token.

Step-by-step: How CoPhish plays out

1.     The attacker builds an agent in Copilot Studio (in their own tenant or compromised one) and enables the demo website, which gives a link like
https://copilotstudio.microsoft.com/environments/Default-{tenant-id}/bots/Default_{bot-name}/canvas
because it sits on Microsoft’s domain it appears trustworthy.

2.     They configure the agent’s sign-in topic: when the user clicks “Login”, the agent calls an OAuth application they control. This application requests scopes (permissions) that appear innocuous or allowed under current policy. For an administrator target, even broad scopes like Files.ReadWrite.All may be requested.

3.     The user (targeted via email, Teams message, or other channel) clicks the link, clicks “Login”, consents, and the flow completes via token.botframework.com (a legitimate step in Copilot Studio). Behind the scenes an HTTP request embedded in the system topic sends the User.AccessToken to attacker-controlled infrastructure. Because the token was sent from Microsoft infrastructure, the traffic may look benign in network logs.

4.     With the token in hand, the attacker now has the user’s permissions. They can access emails, files, calendars, create new apps, etc., depending on the consent granted. The user is none the wiser they continue to chat with the agent.

Why this is especially dangerous

·       The domain (copilotstudio.microsoft.com) is trusted, reducing suspense or suspicion from users.

·       Because the token exfiltration happens on Microsoft’s infrastructure, it may bypass usual network-monitoring filters.

·       Even with Microsoft’s updated default consent policy (July 2025) which blocks many broad scopes for normal users, adversaries can still target internal users and especially administrators, who can consent to apps outside those blocks.

·       The low-code nature of Copilot Studio means many organisations may not have strong governance over agent creation and topic modification, making the platform ripe for abuse.

Real-World Example: CoPhish in Action

Let’s say a mid-sized enterprise uses Microsoft 365 and has started pilots of Copilot Studio for internal automation. A threat actor sets up an agent titled “ExpenseHelperBot” and sends a message to a finance user: “Login here to reconcile your travel expenses.” The link is hosted on copilotstudio.microsoft.com so the user clicks, sees a familiar Microsoft login UI with “Login” button, consents.

Behind the scenes the malicious OAuth app requests Notes.ReadWrite, Mail.ReadWrite, and the user approves. The token is immediately exfiltrated to the attacker’s server. The attacker now sends phishing emails from the user, harvests attachments, and escalates privileges. The victim has no idea.

In another scenario, the attacker targets an Application Administrator. They send a link to a Copilot Studio agent titled “AdminConsoleHelper”. The admin clicks and consents to an external unverified application requesting Application.ReadWrite.All.

Since Application Administrators can consent to apps outside the default user consent policy, the attacker now obtains full read/write privileges over applications letting them persist longer. These scenarios match the publicly reported “Scenario 1” and “Scenario 2” in the Datadog analysis.

The takeaway: even well-managed tenants can be vulnerable, especially via AI/automation tools that aren’t strictly locked down.

ChatGPT Image Oct 27, 2025, 01_28_44 PM

Why This Hapens: Root Causes

Several underlying gaps enable this kind of attack:

1.     Low-code/agent platforms lack governance: Copilot Studio allows agent creation, editing of system topics (including “sign-in”), and sharing externally. Without strong controls, this becomes a blind spot.

2.     OAuth consent policies still have gaps: Microsoft’s default “microsoft-user-default-recommended” consent policy (July 2025) blocks many broad permissions for standard users, but administrators remain exempt and internal apps may still request allowed scopes.

3.     Trusted domains reduce suspicion: Using a Microsoft-branded domain for the agent link makes the phishing vector more convincing. Users are less likely to hesitate when they see “copilotstudio.microsoft.com”.

4.     Token exfiltration hidden inside legitimate flows: Because the agent triggers the HTTP request from Microsoft infrastructure, security monitoring tools may not flag it as suspicious.

5.     Admin-consent remains a high-risk vector: Admins can approve external/unverified apps with broad permissions. Attackers exploiting that can take full control. By understanding these root causes, we can craft better mitigations.

Mitigation & Security Best Practices for Copilot Studio

If your organisation uses Copilot Studio, the time to act is now. Here are recommended steps to secure your environment:

1. Enforce a strong application-consent policy

Don’t rely solely on Microsoft’s defaults. Customize a policy that blocks or requires review for any app requesting high-risk scopes like Mail.ReadWrite, Files.ReadWrite.All, Sites.ReadWrite.All, Application.ReadWrite.All. Track consent logs for unusual activity.

malicious CopilotStudio page. source

Screenshot 2025-10-27 133443

Unprivileged internal user.source

Screenshot 2025-10-27 134311

2. Restrict agent creation and sharing

Limit the number of users who can create agents in Copilot Studio. Prevent wide external sharing of demo websites unless strictly vetted. Ensure that only trusted developers with least privilege can build and share agents. Monitor for unexpected agent creation events (BotCreate, BotComponentUpdate).

3. Monitor OAuth consent events and agent modifications

Use your SIEM or cloud audit logs to watch for events like: “Consent to application”, “BotCreate”, “BotComponentUpdate”, and modifications to sign-in topics in agents. Flag consent requests from unverified apps or unusual scopes.

4. Educate users and administrators

Ensure non-technical users recognise that even trusted domains can host malicious links. Train admins to scrutinise applications they are asked to approve. Simulate phishing scenarios with Copilot-style lures. Combine education with technical controls.

5. Revoke compromised OAuth tokens swiftly

If suspicious consent is detected, immediately revoke the token or block the application. Use conditional access and revoke sessions. Review app registrations to remove any malicious or unused ones.

6. Apply least-privilege access model

Even for productivity tools, ensure agents and apps request minimum privileges. Avoid broad scopes where read/write isn’t strictly necessary. Restrict admin roles and apply multi-factor authentication, conditional access and just-in-time elevation for privileged users.

7. Review periodic platform-specific controls

Stay informed of upcoming changes: Microsoft announced further consent-policy updates in late October 2025 which will narrow the gap for standard users. Ensure your environment is prepared for new defaults and any additional safeguards introduced by Microsoft for Copilot Studio.

Detecting a Malicious Agent or OAuth Consent Phishing

How can you spot when someone may be attempting a CoPhish attack in your organisation? Here are key indicators:

·       A Copilot Studio agent has a public demo website link that wasn’t approved or logged by your governance process.

·       A user receives an unexpected link to a “Microsoft” service (especially in Teams or email), asks them to “Login” before using a bot.

·       Audit logs show “Consent to application” event for an external/unverified app, especially requesting high-risk scopes.

·       Changes in the bot’s “sign-in” topic or other system topics (e.g., addition of “HTTP Request” action) in a Copilot agent.

·       Network traffic shows token-sized strings being sent to unusual endpoints although this may be concealed behind Microsoft traffic.

·       Unusual application-registrations in your tenant associated with Copilot Studio-agents or unexpected reply URLs like token.botframework.com/.auth/web/redirect.

If you encounter these signs, take immediate action to suspend the agent, review the app registration, assess exposed permissions, and revoke tokens.

Why Organisations Must Act Now

The convergence of AI-agent platforms, low-code automation, and identity access is a dangerous frontier. Tools like Copilot Studio were designed for productivity but productivity without governance becomes risk.

The CoPhish attack shows how cleverly threat actors can weaponise familiar domains, trusted workflows, and clever redirections. For an organisation, the cost isn’t just the compromised token it’s the downstream activities: compromised mailboxes, data leaks, identity takeover, lateral movement.

One practitioner I spoke with described it this way: "It’s as if you handed the attacker a guest key to your main office but told them it’s only for the coffee machine." The attacker proceeds to walk into executive offices, plant bugs, and exit with sensitive documents. Once the token is in their hands, they already have the door open.

Given the pace of adoption for Copilot-style agents in enterprises, now is the moment to review your governance, identity controls, and user awareness. Waiting until an incident occurs is far costlier than locking down your agent/consent ecosystem now.

Wrap-up

In this era of hybrid cloud, AI agents and identity-centric threats, the phrase Copilot Studio OAuth token exfiltration explained isn’t just click-bait it’s a wake-up call. The CoPhish attack leverages the trusted interface of Copilot Studio agents, twists OAuth consent into a trap, and quietly steals tokens that give persistent access to sensitive data and systems. But the good news is: the defensive steps are clear.

By enforcing robust application consent policies, restricting agent creation/sharing, monitoring audit events, revoking compromised tokens and educating your people, you can greatly reduce risk.

If you control or help secure a Copilot Studio environment, don’t treat this as a theoretical threat. Assume attackers will try this method. Review your policies, hard-audit your agents and app-registrations, and make sure everyone in the enterprise knows: even benign-looking chatbots can carry dangers. The stakes are real. The time to act is now.

Secure your Copilot Studio estate before the next token is stolen.

 FAQs

Q1: What is Copilot Studio and how does it relate to OAuth token theft?
Copilot Studio is Microsoft’s low-code platform for building chatbots (agents) that run on copilotstudio.microsoft.com. Attackers can exploit its “sign-in” topic to embed OAuth flows, tricking users into granting permissions to malicious apps, and then exfiltrating the returned tokens.

Q2: What does CoPhish mean and why is it dangerous in the context of Copilot Studio?
CoPhish refers to the new phishing technique that wraps an OAuth consent attack inside a Copilot Studio agent. Because the domain is Microsoft-branded and the interface looks trustworthy, users are more likely to consent. Once the token is stolen, attackers can act as the user with full permissions.

Q3: How can I detect malicious Copilot Studio agents in my organisation?
Look for unapproved demo website links, unexpected agent creation events, unusual “Consent to application” entries in your audit logs, modifications to agent sign-in topics, and OAuth app registrations with high-risk scopes. Monitoring these indicators gives early warning of potential token hijack.

Q4: What are the best practices to prevent OAuth consent phishing in Copilot Studio?
Enforce a strong application-consent policy blocking high-risk permissions, restrict who can create/share agents, monitor agent/audit activity, use least-privilege for apps, require multi-factor authentication especially for admins, and regularly review app-registrations and tokens for compromise.

Q5: If a token is compromised via Copilot Studio, what steps should I take?
Immediately revoke the token or disable the compromised app registration, disable the malicious agent, review what data the token had access to (email, files, etc.), check for lateral movement or unusual activity, enforce password resets or re-authentication if necessary, then review your governance and consent policy to close the gap.

Hoplon Infosec’s Mobile Security service protects organizations from phishing and OAuth token theft by securing mobile access to cloud platforms like Microsoft Copilot Studio.

You can also read these important cyber security news articles on our website.

·       Apple Update,

·       Windows Problem,

·       Chrome Warning,

·       Chrome Problem,

·       Synology Issue,

·       Windows Fix,


 

 

 

About the author

R

Radia

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo
Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now
15 Jul, 2026

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now

SonicWall SMA1000 zero-day vulnerabilities are under active attack. See affected versions, CVE details, IOC checks and the patch you need right now.

Read More
Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide
15 Jul, 2026

Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide

Windows 11 KB5101650 is blocked on some Dell PCs after an Intel driver conflict triggered shutdowns and overheating. Here is what happened and what to do.

Read More
OFAC Sanctions First VPN Service Over Ransomware
14 Jul, 2026

OFAC Sanctions First VPN Service Over Ransomware

Learn why OFAC sanctioned First VPN Service and a malware cryptor seller, how 1VPNS helped ransomware groups, and how to defend against FSB router attacks.

Read More
CVE-2026-57807: Critical WordPress SSO Flaw Explained
13 Jul, 2026

CVE-2026-57807: Critical WordPress SSO Flaw Explained

CVE-2026-57807 affects miniOrange OAuth SSO through 38.5.8. Learn who is exposed, how the flaw works, plus safe mitigation and incident response steps.

Read More
Mobile App Security Guide: Risks, Fixes and Best Practices
13 Jul, 2026

Mobile App Security Guide: Risks, Fixes and Best Practices

Mobile app security explained simply, covering real risks, OWASP threats, encryption and practical steps to protect any app from hackers.

Read More
Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims
13 Jul, 2026

Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims

Apple OpenAI lawsuit explained. See what Apple accuses Tang Tan, Chang Liu and OpenAI of stealing, and what it means for hardware security.

Read More