CoPhish: OAuth Consent Phishing via Copilot Studio

Background​

What is CoPhish and how it works​

The attack surface: Copilot Studio agents and demo websites​

The mechanics: login redirect, consent, exfiltration​

• An attacker creates a Copilot Studio agent (either in their own tenant or in a compromised tenant) and configures its sign-in (Login) topic to redirect the user to an OAuth consent workflow.
• The agent’s authentication settings can include arbitrary authorization URL templates and permission scopes; attackers use those fields to request Microsoft Graph scopes that provide read/write access to mail, chat, calendar, OneNote, or broader application-level permissions for administrators.
• After the victim clicks “Login” and consents, the resulting authorization code or token is issued within a legitimate Microsoft flow, but the agent’s automation topic is configured to make an HTTP request that forwards the token to an attacker-controlled endpoint.
• Because the exfiltration occurs from Microsoft infrastructure (the agent’s workflow runs on Microsoft’s backend), the network activity often originates from Microsoft IP ranges, making it harder to detect via traditional egress or proxy logs.

Why administrators are particularly at risk​

• Regular users in default-configured tenants can still consent to a set of Microsoft Graph permissions that Microsoft considers acceptable under certain default policies (for example, Mail.ReadWrite, Chat.ReadWrite, Calendars.ReadWrite, Notes.ReadWrite), so attackers can harvest tokens that matter even without admin privileges.
• Privileged roles such as Application Administrator or Cloud Application Administrator can consent to any application permissions and effectively grant tenant-wide privileges to malicious apps. If an admin is phished via an agent and consents to broad scopes, the attacker can escalate or execute wide-reaching actions.

The policy context — Microsoft’s shifting consent defaults​

• Administrators retain the ability to consent to broad permissions on behalf of the tenant.
• Tenants that left default settings unmodified or organizations that rely on user application registration still present opportunities for attackers to register internal apps and lure internal users to consent.
• The rollout of Microsoft-managed policy changes is gradual and may not reach every tenant or owner-configured environment at the same time.

Why CoPhish bypasses many traditional defenses​

• Trusted domain advantage: Links come from copilotstudio.microsoft.com (a Microsoft domain), so URL-based reputation checks, domain allowlists, and superficial user heuristics are less effective. Security stacks that block external or unknown domains may not catch these pages because the hosting domain is legitimate.
• OAuth-based access bypasses MFA: Consent phishing obtains tokens through user-approved authorization flows rather than credential theft. Because the token is granted by the identity provider after a consent decision, attackers can often bypass second factors and session-hardening controls that only trigger during interactive logins. This is a documented risk in consent-phishing and illicit consent grant campaigns.
• Stealthy exfiltration via platform backends: When an agent’s workflow sends the token from Microsoft’s servers, the outbound request originates from Microsoft address space — filtering or monitoring egress traffic for suspicious destinations may miss it, and endpoint logs on the victim device won’t show the token exfiltration.
• Low-code automation abuse: Copilot Studio topics are intentionally powerful to make agent integrations easy; those same automation primitives can be repurposed to perform token forwarding and other stealthy actions once a user grants consent.

What Microsoft has said and planned mitigations​

• Disable or restrict user application creation and registration where possible.
• Enforce least privilege for administrator roles and reduce the number of users who can grant admin consent.
• Configure and require an admin consent workflow, so high-risk app consent requests require an explicit review/approval step.
• Monitor Entra ID and Microsoft 365 audit logs for “Consent to application” events and for Copilot Studio-specific operations such as agent creation and topic updates.
• Treat Copilot Studio demo URLs as untrusted when received in email or chats and verify developer/owner identity before interacting.

Practical guidance for security teams (detection and hardening playbook)​

Quick triage checklist (immediate steps)​

• Revoke suspicious refresh tokens and session tokens when you detect unusual consents or rapid application registrations.
• Restrict the set of users who can register applications (set “Users can register applications” to No unless your business requires it).
• Audit recent Entra ID “Consent to application” events and look for unusual application names, creation IPs, or repeated consent grants coming from Microsoft services.

Detection rules to add now​

• Monitor audit logs for Copilot Studio agent creation (“BotCreate” workload events) and for updates to system topics (BotComponentUpdate) that mention sign-in topics or authentication settings.
• Alert on new OAuth app registrations that request unexpectedly broad Microsoft Graph scopes or that include redirect URIs to external/unexpected hosts.
• Create SIEM correlation rules that flag “consent to application” events followed by anomalous mailbox access or service principal activity originating from non-standard locations. Datadog published example detections that can be adapted to other SIEMs.

Policy and configuration hardening​

• Enforce a strict application consent policy for users: limit the scopes that non-admin users can consent to and require admin approval for any high-impact permissions.
• Use conditional access policies to protect high-privilege roles, require privileged access workstations (PAWs) for consent decisions by admins, and apply step-up authentication on risky workflow approvals.
• Implement an admin consent workflow so that users can request approval rather than freely consenting to new apps. This process reduces click-through risk in social-engineering scenarios.

User controls and education​

• Treat any Copilot Studio demo or “agent” link that arrives unsolicited as potentially malicious. Train users to verify the developer or the originating tenant and to report suspect consent prompts to the security team rather than clicking Accept.
• Include OAuth consent examples in phishing simulations so people recognize permission lists and scope names. Teach users that clicking “Accept” grants programmatic privileges that are not the same as signing into a known service.

Incident response for a suspected CoPhish compromise​

• Identify the impacted accounts and list all recent “Consent to application” events and app registrations tied to the timeframe.
• Revoke refresh tokens and active sessions for affected users; this forces token re-issuance and can cut off attacker access. Note: token revocation may not end all persistence if attacker also obtained application credentials or service principals — investigate thoroughly.
• Disable or delete the malicious application/service principal from the tenant and ensure any owner accounts are investigated for compromise.
• Audit mailbox and OneDrive access to determine data exfiltration scope; preserve logs for forensic analysis.
• Rotate credentials for any service principals or automation accounts modified or created by the attacker.
• After containment, implement consent policy hardening and additional monitoring to prevent repeat exploitation.

Strategic implications: AI platforms as new attack surfaces​

• Platform trust is fragile: security assumptions that a vendor-controlled domain equals safety are no longer sufficient. Attackers will exploit legitimate hosting and branded domains to social-engineer victims.
• Low-code and automation primitives require governance: organizations must treat agent creation, topic editing, and demo publishing as administrative activities that require approval, monitoring, and separation of duties.
• Identity-first defenses must be layered: application consent policies, admin consent workflows, conditional access, and privileged access management should work together; no single control will fully stop consent-phishing attacks.
• Vendor collaboration is necessary: platform-level mitigations (for example limiting redirect templates in publicly-hosted demo pages, adding consent UI hardening, or blocking outbound webhooks from demo environments) complement tenant-side controls and must be pursued in partnership with vendors. Datadog and other researchers pushed Microsoft to harden governance; vendor fixes reduce risk, but operational controls remain essential.

Recommended prioritized roadmap for defenders​

• Immediate (0–7 days)
• Disable user app registrations tenant-wide unless necessary.
• Turn on enhanced logging for Entra ID and Microsoft 365 audit events.
• Block or restrict demo-site distribution channels for Copilot Studio agents via policy and internal communication.
• Short term (1–4 weeks)
• Implement admin consent workflow and reduce the number of users who can grant admin consent.
• Add SIEM detections for Copilot Studio agent creation and sign-in topic edits.
• Run targeted phishing simulations focused on OAuth consent education.
• Medium term (1–3 months)
• Enforce conditional access for admin roles, deploy PAWs for sensitive tasks, and require step-up MFA for consent approvals.
• Review and remediate over-privileged service principals and apps; adopt least privilege for app registrations.
• Work with Microsoft support or account teams to understand tenant rollout schedules and to request vendor-side mitigations where applicable.
• Long term (3–12 months)
• Build governance around low-code and AI tooling: approval gates, developer identity verification, and marketplace vetting for agents.
• Integrate OAuth consent monitoring into regular security posture reviews and tabletop exercises.
• Consider third-party Entra ID posture tools and risk scoring systems to provide continuous assessment of app consent exposure.

Risks and open questions​

• Detection workarounds: defenders must assume attackers will iterate. If Microsoft mitigates demo-site abuse, adversaries may switch to embedding agents in compromised customer pages or cloning UI patterns elsewhere.
• Persisting tokens and refresh lifetimes: the lifecycle of refresh tokens and how long they provide undetected access remains a key variable for impact assessments; tenants should assume refresh tokens can persist and act accordingly by revocation and rotation.
• Incomplete rollouts: not every tenant has the same default policies or administration discipline; uneven adoption of Microsoft’s consent defaults means some organizations will remain exposed longer than others.
• Human factors: because the attack relies on consent clicks, user education and interface design changes (e.g., clearer consent UIs, friction on high-risk consents) will be necessary complements to technical controls.

Conclusion​