AI agents are proving to be extremely resourceful. Among their discoveries can be OAuth tokens, which these digital assistants then pass on to malicious parties. Datadog uncovered how agents use Microsoft Copilot Studio to assist in phishing campaigns.
Copilot Studio enables a pervasive form of automation. To increase their usability, users can share the workflows of these agents, which are called “topics.” The Login topic can be configured in such a way that users are misled. Datadog recently explained that malicious applications can steal OAuth tokens. Security researchers call this attack method “CoPhish.” Because the link leads to a legitimate Microsoft site, this form of abuse is difficult to recognize as such.
Users with a Copilot Studio license or the free trial in their own Entra ID tenant can create malicious agents. Of course, useful, legitimate agents can also be built, but Datadog sees the low-code tool for building them as an “ideal target for abuse in an attack.”
A page as an agent
What is confusing for end users is that the link is actually an agent with a chatbot function as its interface. Logging in seems like a minor issue, but attackers are able to send victims to a URL that requests the granting of OAuth tokens for Microsoft Entra ID. With this token, actions can also be created that unsuspecting users perform when they grant permission. This includes emails, so internal communication could be a phishing email with all the consequences that entails if this flaw is exploited.
Microsoft has already done its homework, Datadog explains. Since 2020, unverified external applications are no longer allowed to receive such approval from every user, assuming organizations have this option enabled. However, administrators can still approve permissions for both internal and external, unverified applications.
Dangers
The dangers for unprivileged users range from a compromised email account to modifying their own calendar and changing data within OneNote. If Microsoft changes its policies, read/write permissions would only apply to OneNote. So that is still a danger, but malicious calendar invitations and email messages would no longer be possible.
As usual, administrators need to be extra vigilant. They can still grant permissions for each application. As decision-makers on behalf of Entra ID tenants, they do not need to request approval for this, according to Datadog. Even the changes Microsoft made last month maintain this risk. Since administrators have always been crucial IT security guards, they will be familiar with similar pitfalls.