Security researchers at Datadog Security Labs have detailed a new phishing technique, dubbed ‘CoPhish,’ that abuses Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate Microsoft domains.
Datadog’s report says Copilot Studio agents are chatbots that perform tasks through automations (called "topics") configured by users. Agents can be shared on Microsoft's domain by enabling the ‘demo website’ feature. Because the demo pages live on Microsoft’s own domain and mimic normal Copilot behavior, users are more likely to trust and interact with them. An attacker configures an agent’s Login topic to trigger an OAuth consent flow or to redirect users to an attacker-controlled endpoint and capture the victim’s session token.
The report describes how the malicious workflow can send the access token to an external service (for example a Burp Collaborator URL) by including the token in an HTTP header, and how the application’s client ID, secret and auth URLs are used to configure the agent’s sign-in settings.
Datadog warns the attack can target administrators who have the ability to approve application permissions in a tenant, including permissions for applications that are unverified or externally registered.
According to the report, current Copilot Studio defaults let attackers obtain broader permissions (email, chat, calendar) in some configurations, and that planned Microsoft policy changes would restrict that scope to OneNote read/write in many cases. However, Datadog says that high-privilege roles such as Application Administrator could still be targeted after the update.
Because the token is forwarded from Copilot using Microsoft IP addresses and standard Copilot authentication domains (the OAuth redirect URL used in the workflow is token.botframework.com), victims won’t necessarily see suspicious external traffic in their logs after authentication, Datadog says. One visual clue, the researchers say, is presence of a Microsoft Power Platform icon on the demo page.