Warning: The “CoPhish” Attack Turns AI Agents into Phishing Tools
Custom AI agents and GPTs are revolutionizing how businesses operate, offering personalized assistance and automating complex tasks. But this new frontier also opens the door to sophisticated security threats. A newly discovered technique, dubbed the “CoPhish” attack, demonstrates how malicious actors can weaponize these powerful tools to steal sensitive user credentials and bypass traditional security measures.
This attack specifically targets Microsoft’s ecosystem by exploiting the trust users place in official platforms. Understanding how it works is the first step toward building a robust defense.
What is the CoPhish Attack?
The CoPhish attack is a novel phishing technique that leverages Microsoft’s Copilot Studio to create malicious AI agents, or “copilots.” The ultimate goal of the attack is to trick an unsuspecting user into granting permissions to the malicious agent, allowing the attacker to steal the user’s OAuth access token.
Once an attacker possesses this token, they can impersonate the user and gain access to their Microsoft 365 account, including sensitive data stored in Outlook, SharePoint, OneDrive, and other connected applications.
How the Attack Works: A Step-by-Step Breakdown
The genius of the CoPhish attack lies in its use of legitimate Microsoft infrastructure, which makes it incredibly difficult for both users and automated security systems to detect.
Crafting the Malicious Agent: First, an attacker uses Microsoft Copilot Studio to build a seemingly helpful custom AI agent. They can design it to look like an official IT support tool, a productivity assistant, or any other benign application. The key is that this agent is configured to require user authentication to access certain “skills” or data sources.
The Deceptive Lure: The attacker then generates a sharing link for their malicious copilot. This link is sent to the target victim via email or a messaging platform. Because the link points to a legitimate Microsoft domain (such as
copilotstudio.microsoft.com), it bypasses many standard email filters and appears trustworthy to the user.Exploiting the Consent Process: When the victim clicks the link, they are taken to the official Microsoft environment to interact with the AI agent. The agent will prompt the user to log in and grant it permissions via a standard OAuth consent screen. This screen also appears legitimate, asking for access to things like reading user profiles or accessing files—permissions that might seem reasonable for a productivity tool.
Capturing the Access Token: This is the critical step. When the user grants consent, the OAuth token is sent to the AI agent. However, because the agent was created and is hosted within the attacker’s own Microsoft tenant, the token is delivered directly into an environment they control. The attacker can then easily extract the token and use it to access the victim’s account from anywhere.
Why is This Attack So Dangerous?
The CoPhish method presents a significant evolution in phishing tactics for several key reasons:
- Bypasses Traditional Defenses: The attack uses legitimate Microsoft domains and valid TLS certificates, making it nearly impossible to block at the network level.
- High Level of Trust: Users are far more likely to trust a prompt originating from a genuine Microsoft service than a link to a random, unknown website.
- Low Technical Barrier: Creating a malicious copilot doesn’t require advanced hacking skills. The entire process uses Microsoft’s own user-friendly, no-code development tools.
- Direct Access to High-Value Data: A stolen Microsoft 365 access token is a master key to a user’s corporate identity, granting access to emails, confidential documents, calendars, and contacts.
How to Protect Your Organization
Defending against CoPhish requires a multi-layered approach that combines administrative vigilance, technical controls, and user education.
Implement Strict Administrative Controls: Administrators should immediately review their Copilot Studio settings. It is crucial to disable the ability for users to publish copilots publicly or share them with everyone in the organization. Limit copilot creation and sharing capabilities to only a small, trusted group of administrators or developers.
Enhance User Awareness and Training: Educate employees about the risk of AI-powered phishing. Teach them to be highly skeptical of any unexpected links to AI tools, even if they appear to come from a legitimate domain. Instruct users to carefully scrutinize any permission request and to never grant consent to an application they do not fully recognize and trust.
Monitor Application Consents: Regularly audit and monitor OAuth application consents across your Microsoft 365 environment. Look for unusual or newly granted permissions, especially for non-certified or unfamiliar applications. Microsoft Defender for Cloud Apps and other security tools can help automate this process.
Adopt a Zero Trust Mindset: The CoPhish attack underscores the importance of a Zero Trust security model. Assume that no request is safe by default, and continuously verify identity and permissions before granting access to resources.
The emergence of AI-driven tools will undoubtedly bring new and unforeseen security challenges. The CoPhish attack is a stark reminder that as technology evolves, so too must our security strategies. By staying informed and proactive, organizations can harness the power of AI while safeguarding their most critical assets.
Source: https://www.bleepingcomputer.com/news/security/new-cophish-attack-steals-oauth-tokens-via-copilot-studio-agents/
