In the rapidly evolving world of cybersecurity threats, a new phishing technique has emerged that exploits Microsoft’s Copilot Studio, turning AI agents into unwitting accomplices in stealing sensitive OAuth tokens. Security researchers have uncovered a method dubbed “CoPhish,” which leverages these agents to deliver fraudulent consent requests through trusted Microsoft domains, bypassing traditional defenses and granting attackers persistent access to user accounts.

According to a report from TechRadar, experts are warning that Copilot Studio agents can be hijacked, allowing malicious actors to exfiltrate OAuth tokens. This vulnerability stems from the platform’s design, which enables users to create custom AI agents for tasks like customer support or data processing. Attackers craft malicious agents hosted on legitimate Microsoft infrastructure, tricking victims into approving OAuth consents that hand over tokens for services like Microsoft Entra ID.

The Mechanics of CoPhish Exploitation

The attack chain begins with phishing lures that direct users to these rogue agents. Once engaged, the agent prompts for OAuth authorization under the guise of legitimate functionality, such as accessing shared documents or integrating with productivity tools. As detailed in an analysis by BleepingComputer, this “zero-click” style exploit doesn’t require direct code execution; instead, it relies on the agent’s built-in workflows to capture and relay tokens to attackers, often evading multi-factor authentication (MFA) protections.

Further insights from InfoSecBulletin highlight how CoPhish misuses Copilot Studio to deceive users into granting access to their Microsoft Entra ID, potentially exposing emails, files, and other cloud resources. The technique’s sophistication lies in its use of trusted domains, making it harder for security tools to flag as suspicious.

Microsoft’s Acknowledgment and Planned Mitigations

Microsoft has acknowledged the risks associated with this vulnerability, confirming plans to implement fixes. In statements reported by SC Media, the company emphasized the need for users to exercise caution when interacting with Copilot agents, particularly those prompting for OAuth consents. While no widespread exploitation has been reported yet, the potential for abuse is significant, especially in enterprise environments where Copilot is integrated into daily workflows.

Industry observers note that this isn’t the first time AI tools have been weaponized. A related incident covered by TechRadar earlier this year described a “zero-click” attack on Microsoft Copilot, where sensitive information was extracted without user interaction. Such patterns underscore the growing intersection of AI and cybersecurity risks.

Implications for Enterprise Security

For organizations relying on Microsoft 365 and Copilot Studio, the CoPhish threat amplifies the importance of robust access controls and employee training. Experts recommend reviewing OAuth app permissions regularly and implementing least-privilege principles to minimize damage from token theft. As outlined in SSOJet News Central, this attack can bypass MFA, making traditional password resets ineffective against persistent access.

Beyond immediate fixes, the incident raises broader questions about the security of AI-driven platforms. With agents becoming more autonomous, ensuring they can’t be subverted for malicious purposes will be crucial. Security teams should monitor for unusual OAuth requests and consider third-party tools for enhanced threat detection.

Protective Measures and Future Outlook

To safeguard against CoPhish and similar threats, users are advised to verify the legitimacy of any agent before granting consents, perhaps by checking the developer’s credentials or the agent’s hosting domain. Publications like RedHotCyber suggest enabling advanced logging in Microsoft Entra ID to track suspicious activities.

As AI integration deepens in business operations, vulnerabilities like this could proliferate. Microsoft’s swift response is a positive step, but ongoing vigilance from both vendors and users will be essential to stay ahead of innovative phishing tactics that exploit emerging technologies.