- CoPhish makes use of Copilot Studio brokers to spoof OAuth tokens utilizing pretend login flows
- Attackers exploit Microsoft domains to look reliable and entry delicate person information.
- Mitigations embody proscribing app consent, implementing MFA, and monitoring OAuth exercise.
Security researchers at Datadog Security Labs are warning of a brand new phishing method that weaponizes Microsoft Copilot Studio brokers to steal OAuth tokens and offers attackers entry to delicate info in emails, chats, calendars, and extra.
The method is known as CoPhish, and though Microsoft confirmed that it’s a social engineering method, it acknowledged it and stated it should work to repair it.
Here’s the way it works: An attacker can create or share a Copilot Studio agent (known as a “Topic”), whose person interface features a “Login” or consent circulate. If a sufferer clicks the button, the circulate will request Microsoft Login/OAuth permissions. By approving the request, the sufferer primarily arms OAuth tokens to the attackers, who can then use them to entry mail, chat, calendar, information, and automation capabilities throughout the sufferer’s tenant.
Address by product updates
The method is especially harmful, Datadog harassed, as a result of the brokers use reliable Microsoft domains (copilotstudio.microsoft.com). This, together with the agent’s person interface, might trigger the sufferer to imagine in its authenticity and let their guard down.
Microsoft acknowledged the potential for abuse and confirmed it could be working to repair it: “We have investigated this report and are taking steps to handle it by future product updates,” a spokesperson stated.
“While this system relies on social engineering, we stay dedicated to strengthening our governance and consent experiences and are evaluating further safeguards to assist organizations stop misuse.”
If you might be involved about being attacked on this means, there are fast mitigation measures that may scale back the chance. That contains proscribing consent from third-party apps (requires admin consent), implementing conditional entry and MFA, blocking (or intently reviewing) Copilot Studio shared and printed brokers, monitoring uncommon app registrations and granted OAuth tokens, and revoking suspicious tokens and apps.
Through beepcomputer