New Phishing Technique called “CoPhish”

October 26, 2025 Faeem BLOGS 0

Researchers at Datadog Security Labs called the new phishing technique “CoPhish” and showed how malicious Copilot Studio agents can host OAuth consent flows on Microsoft domains to trick users into granting access, allowing attackers to capture session tokens and escalate access.

Immediate risk assessment

  • The attack uses Microsoft-hosted demo pages and customizable sign-in topics to present legitimate-looking consent prompts that can redirect and exfiltrate tokens.
  • Administrators and high-privilege roles are the most valuable targets because they can approve unverified app permissions and broaden attacker access.
  • Network logs may not reveal the exfiltration because requests originate from Microsoft infrastructure and use legitimate redirect flows.

Immediate mitigations

  1. Enforce least privilege for administrative roles and remove unnecessary Global/Privileged roles from routine accounts.
  2. Block or audit creation of multi-tenant applications and disable user app registrations by default in Entra ID.
  3. Apply a strict application consent policy that requires admin approval for high-risk permissions and blocks unverified apps.
  4. Temporarily restrict Copilot Studio demo website sharing inside the tenant or limit demo exposure to approved internal audiences.
  5. Require reenforced multi-factor authentication for any account that can consent to application permissions.

Detection and monitoring steps

  • Audit Entra ID application consent events for newly consented apps, unusual consent times, and consent granted by admins.
  • Monitor Copilot Studio agent creation and demo website enablement events for unknown owners or external app IDs.
  • Alert on new multi-tenant app registrations and on redirect URIs that include unexpected domains or third-party collaborator endpoints.
  • Correlate suspicious consent events with sign-in sessions to identify possible token capture even when traffic appears to originate from Microsoft IPs.

Longer-term controls and policy changes

  • Implement approved application allow-lists and require publisher verification for apps that request sensitive scopes.
  • Harden governance for Copilot Studio: restrict who can create agents, require admin review of sign-in topics that perform redirects, and limit demo website exposure.
  • Train admins and privileged users on OAuth consent phishing, showing examples of legitimate vs malicious consent prompts and emphasizing scrutiny of publisher and permission details.

Suggested admin notification

Subject: Urgent — CoPhish OAuth phishing via Copilot Studio agents Body: A new technique called CoPhish leverages Copilot Studio demo pages to present legitimate-looking OAuth consent prompts and capture session tokens. Immediately disable user app registrations, restrict Copilot Studio demo site sharing, and review recent admin consent events. Follow up with an audit of newly created multi-tenant apps and apply stricter application consent policies.

Summary

Datadog disclosed “CoPhish,” a new OAuth phishing method that weaponizes Microsoft Copilot Studio agents to host malicious consent flows on Microsoft domains. Administrators can be targeted to approve unverified apps and hand over session tokens. Practical defenses: tighten admin privileges, disable user app creation, enforce stricter consent policies, and monitor Entra ID and Copilot Studio events

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.