Threat Research

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

DataDogHQ
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

Copilot Studio agents can be configured to redirect users to arbitrary OAuth consent flows and exfiltrate tokens, enabling OAuth phishing attacks that leverage legitimate Microsoft domains and services. The technique abuses agent sign-in topics and HTTP actions to forward User.AccessToken to attacker-controlled endpoints, affecting Entra ID tenants and administrative roles. #CopilotStudio #EntraID

Keypoints

  • Copilot Studio agents host customizable sign-in flows where the “Login” button can redirect users to attacker-controlled OAuth consent workflows on valid Microsoft domains.
  • An attacker can add an HTTP Request action to an agent’s system sign-in topic to forward the User.AccessToken directly to a malicious URL (exfiltration performed from Microsoft infrastructure).
  • OAuth consent attacks (T1528) remain viable for two main scenarios: unprivileged users consenting to allowed internal app permissions, and administrative-role users consenting to any permissions.
  • Microsoft’s July 2025 default application consent policy (microsoft-user-default-recommended) blocks some Graph permissions (Sites/Files) but still permits Mail/Chat/Calendar/OneNote scopes that enable data access.
  • Administrators with Application Administrator or Cloud Application Administrator roles can consent to any permissions and remain at high risk despite default policy changes expected in October 2025.
  • Attack flow: attacker creates Copilot Studio agent → configures malicious app registration (reply URL token.botframework.com) → shares demo site link → user authenticates → agent captures and forwards token → attacker uses token to act as user.
  • Mitigations include enforcing a stricter application consent policy, disabling default user app registration, monitoring Entra ID and Microsoft 365 audit logs, and monitoring Copilot Studio events (BotCreate, BotComponentUpdate).

MITRE Techniques

  • [T1528 ] OAuth Application Consent – Used to trick users into consenting to an application that returns a token to the attacker: “…the attacker then lures the user into consenting to the application through Entra ID’s application consent workflow.”

Indicators of Compromise

  • [Domain ] Malicious Copilot Studio demo site – example: copilotstudio.microsoft.com/environments/Default-{tenant-id}/bots/Default_{bot-name}/canvas
  • [Redirect/Service URL ] OAuth redirect / token exchange – example: https://token.botframework.com/.auth/web/redirect
  • [HTTP exfiltration endpoint ] Token receiver used in examples – example: Burp Collaborator URL (token seen in “Token” header), and other attacker-controlled endpoints
  • [Token ] Exfiltrated user access token – example: “eyJ[…]” containing scopes “Mail.ReadWrite Mail.Send Notes.ReadWrite”

Read more: https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/