cophish

CoPhish is an attack chain identified by Datadog Security Labs that weaponizes Microsoft Copilot Studio to steal OAuth tokens. By hosting malicious agents on Microsoft domains, attackers use the agents' built-in sign-in workflows to deliver convincing OAuth consent prompts, exfiltrating tokens to attacker infrastructure. This technique highlights a security risk in low-code AI assistant platforms, where trusted Microsoft domains can be abused for phishing. Discussions on WindowsForum cover the technical details of the CoPhish attack, including how Copilot Studio's customizable topics and hosted demo pages enable token theft, and offer mitigation advice for enterprise IT and security professionals.