Monday , July 13 2026
CoPhish

New CoPhish attack steals OAuth tokens Exploitng Copilot Studio agents

A phishing technique named CoPhish misuses Microsoft Copilot Studio to deceive users into giving hackers access to their Microsoft Entra ID accounts. Datadog Security Labs identified a method that uses customizable AI agents on legitimate Microsoft domains to disguise OAuth consent attacks, making them seem trustworthy and avoiding user suspicion.

A new report reveals that cloud-based AI tools still have vulnerabilities, even with Microsoft’s improved consent policies.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Attackers can use Copilot Studio to build fake chatbots that trick users into giving their login details, allowing them to steal OAuth tokens for harmful activities like reading emails or accessing calendars.

Recent advancements in AI services have led to the unintended risk of phishing through user-configurable features. With more organizations using tools like Copilot, it’s crucial to closely monitor low-code platforms.

OAuth consent attacks, classified under MITRE ATT&CK technique T1528, involve luring users into approving malicious app registrations that request broad permissions to sensitive data.

Attackers in Entra ID environments create app registrations to access Microsoft Graph resources like email or OneNote, tricking victims into consenting through phishing links. Once approved, they gain a token that allows them to impersonate users and steal data or cause further harm.

Microsoft has bolstered defenses over the years, including 2020 restrictions on unverified apps and a July 2025 update setting “microsoft-user-default-recommended” as the default policy, which blocks consent for high-risk permissions like Sites.Read.All and Files.Read.All without admin approval.

However, gaps remain: unprivileged users can still approve internal apps for permissions like Mail.ReadWrite or Calendars.ReadWrite, and admins with roles such as Application Administrator can consent to any permissions on any app.

An upcoming late-October 2025 policy tweak will narrow these further but won’t fully protect privileged users.​

CoPhish Attack Exploits Copilot:
In the CoPhish technique, attackers create a harmful chatbot using a trial license in their own account or a compromised one, Datadog said.

The agent’s “Login” topic, a system workflow for authentication, is backdoored with an HTTP request that exfiltrates the user’s OAuth token to an attacker-controlled server after consent.

The demo website feature shares the agent via a URL like copilotstudio.microsoft.com, mimicking official Copilot services and evading basic domain checks.​

The attack unfolds when a victim clicks a shared link, sees a familiar interface with a “Login” button, and is redirected to the malicious OAuth flow.

For internal targets, the app requests allowable scopes like Notes.ReadWrite; for admins, it can demand everything, including disallowed ones. Post-consent, a validation code from token.botframework.com completes the process, but the token is silently forwarded often via Microsoft’s IPs, hiding it from user traffic logs.

Attackers can then use the token for actions like sending phishing emails or data theft, all without alerting the victim. A diagram illustrates this flow, showing the agent issuing tokens post-consent for exfiltration.​

To counter CoPhish, experts recommend enforcing custom consent policies beyond Microsoft’s defaults, disabling user app creation, and monitoring Entra ID audit logs for suspicious consents or Copilot modifications.

This attack serves as a cautionary tale for emerging AI platforms: their ease of customization amplifies risks when paired with identity systems. As cloud services proliferate, organizations must prioritize robust policies to safeguard against such hybrid threats.​

Check Also

Tenda

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to …