- CoPhish makes use of Copilot Studio brokers to phish OAuth tokens through faux login flows
- Attackers exploit Microsoft domains to seem legit and entry delicate consumer knowledge
- Mitigations embrace proscribing app consent, imposing MFA, and monitoring OAuth exercise
Safety researchers from Datadog Safety Labs are warning a couple of new phishing approach weaponizing Microsoft Copilot Studio brokers to steal OAuth tokens and grants attackers entry to delicate info in emails, chats, calendars, and extra.
The approach is called CoPhish, and whereas Microsoft confirmed it’s a social engineering approach, it acknowledged it and stated it’ll work on addressing it.
Right here is the way it works: an attacker can construct, or share, a Copilot Studio agent (referred to as “Subject”), whose consumer interface features a “Login” or consent movement. If a sufferer clicks on the button, the movement will request Microsoft Entra/OAuth permissions. By approving the request, the sufferer basically palms over OAuth tokens to attackers, which may then use them to entry mail, chat, calendar, recordsdata, and automation capabilities contained in the sufferer’s tenant.
Addressing by product updates
The approach is especially harmful, Datadog pressured, as a result of the brokers are utilizing legit Microsoft domains (copilotstudio.microsoft.com). This, along with the agent UI, may make the sufferer imagine its authenticity, and decrease their guard.
Microsoft has acknowledged the potential for abuse and confirmed it could be engaged on addressing it: “We have investigated this report and are taking motion to handle it by future product updates,” a spokesperson stated.
“Whereas this system depends on social engineering, we stay dedicated to hardening our governance and consent experiences and are evaluating further safeguards to assist organizations stop misuse.”
If you’re nervous about being focused this fashion, there are quick mitigations to use which may scale back threat. That features proscribing third-party app consent (requires admin consent), imposing conditional entry and MFA, blocking (or intently reviewing) Copilot Studio shared and printed brokers, monitoring uncommon app registrations and granted OAuth tokens, and revoking suspicious tokens and apps.
By way of BleepingComputer
Comply with TechRadar on Google Information and add us as a most popular supply to get our knowledgeable information, evaluations, and opinion in your feeds. Ensure that to click on the Comply with button!
And naturally you may also comply with TechRadar on TikTok for information, evaluations, unboxings in video type, and get common updates from us on WhatsApp too.
The most effective antivirus for all budgets
