Researchers at Datadog Security Labs have described a phishing technique they call “CoPhish” that uses Microsoft Copilot Studio agents to present fraudulent OAuth consent requests from legitimate Microsoft-hosted pages, enabling attackers to collect session tokens.
Copilot Studio agents are hosted on copilotstudio.microsoft.com and can be shared via a built-in “demo website” feature, making the page URL appear to be a trusted Microsoft domain. Datadog researchers detail how an attacker can configure an agent’s Login topic to redirect users to an authentication flow and forward an access token to an attacker-controlled endpoint; the researchers provide technical details in a report.
The researchers say an attacker can register a malicious multi-tenant application, configure the sign-in settings to collect the token (for example by sending the token in an HTTP header to a collaborator URL) and then distribute the Copilot-hosted demo site in phishing emails or Teams messages. An administrator who consents to the application’s permissions can be redirected through an OAuth endpoint used by Copilot and, according to the report, have their session token forwarded without an on-screen notification.
Microsoft said it has investigated the issue and plans product updates to address the underlying causes, saying the technique relies on social engineering and that it is reviewing additional safeguards for governance and consent experiences. Datadog’s Katie Knowles also notes that some default policy changes proposed by Microsoft would limit exposure for unprivileged users to a narrower set of permissions, but that high-privileged roles could remain susceptible to externally registered applications.
To reduce risk, Microsoft recommended limiting administrative privileges, tightening application permissions and enforcing governance policies. Datadog advised implementing a strong application consent policy, disabling user application creation defaults and monitoring application consent and Copilot Studio agent creation events in Entra ID.
It is not known whether CoPhish attacks have been observed in active campaigns beyond the research demonstrations. Security teams should treat the technique as a new social-engineering vector against OAuth consent workflows and consider the suggested mitigations while Microsoft implements product changes.