Listen to this Post
Introduction:
A novel phishing technique dubbed “CoPhish” is leveraging the trust and automation of Microsoft Copilot to orchestrate sophisticated OAuth token theft. This attack vector manipulates Copilot Studio, allowing threat actors to create malicious agents that seamlessly redirect users to fraudulent OAuth consent screens, compromising organizational identities and data.
Learning Objectives:
- Understand the mechanics of the CoPhish attack leveraging Copilot Studio.
- Learn to identify malicious OAuth consent screens and application permissions.
- Acquire defensive skills to harden identity and application governance in Microsoft Entra ID.
You Should Know:
1. Understanding OAuth Consent Phishing
OAuth consent phishing is an attack where users are tricked into granting permissions to a malicious application. This application, once authorized, can access user data, emails, and other resources based on the scopes it was granted, without stealing a password.
2. Investigating Enterprise Applications in Microsoft Entra ID
The first line of defense is identifying suspicious applications that have been granted consent within your tenant.
Verified Command / Procedure:
Connect to Microsoft Graph API
Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"
Get all service principals (Enterprise Applications) and their permissions
Get-MgServicePrincipal -All | Where-Object { $<em>.PublisherName -eq "Unknown" -or $</em>.AppOwnerOrganizationId -notlike "yourtenant.onmicrosoft.com" } | Format-List DisplayName, AppId, AppOwnerOrganizationId, PublisherName
Step-by-step guide:
1. Open PowerShell with administrative privileges.
- Install the `Microsoft.Graph` module if not present:
Install-Module Microsoft.Graph. - Run the `Connect-MgGraph` command and authenticate with a privileged account.
- Execute the `Get-MgServicePrincipal` query. This script filters for applications not published by a known publisher or not owned by your tenant, which are common indicators of a malicious app.
- Investigate any unfamiliar applications, noting their
AppId, and revoke their permissions immediately via the Microsoft Entra admin center.
3. Revoking Malicious OAuth Grants
Once a malicious application is identified, its permissions must be revoked globally.
Verified Command / Procedure:
Revoke all oauth2PermissionGrants for a specific malicious service principal (Application)
$MaliciousApp = Get-MgServicePrincipal -Filter "displayName eq 'Suspicious App Name'"
$OAuthGrants = Get-MgOauth2PermissionGrant -All | Where-Object { $<em>.ClientId -eq $MaliciousApp.AppId }
$OAuthGrants | ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $</em>.Id }
Step-by-step guide:
- Identify the exact display name or AppId of the malicious application from the previous investigation.
- The first command fetches the service principal object for the app named ‘Suspicious App Name’. Replace this filter with the actual name or use
-Filter "appId eq 'GUID'". - The second command retrieves all OAuth2 permission grants for that specific client application ID.
- The final pipeline iterates through each grant and deletes it, effectively revoking all permissions users have granted to this application.
4. Implementing Tenant-Wide Application Consent Policies
Preventing future incidents requires restricting how users can consent to applications.
Verified Command / Procedure:
Disable user consent for all permissions (Recommended)
New-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{AllowedToCreateApps = $false; AllowedToCreateSecurityGroups = $false; AllowedToReadOtherUsers = $false}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions @{ "PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForOwnedResources") }
Step-by-step guide:
- This policy update is performed using the Microsoft Graph PowerShell module.
- The `New-MgPolicyAuthorizationPolicy` command is used to define a new policy, but typically you will update the existing default policy. The example `Update-MgPolicy` command is the correct method.
- The `PermissionGrantPoliciesAssigned` parameter with the value `managePermissionGrantsForOwnedResources` is a built-in policy that allows users to grant consent only for apps they own, which is rarely the case, effectively blocking most user consent.
- After this change, all application consent requests must be reviewed and approved by an administrator.
5. Auditing Sign-In and Consent Activities
Continuous monitoring of authentication and consent events is crucial for detection.
Verified Command / Procedure:
// KQL Query for Azure Sentinel/Microsoft Defender for Identity: Detect OAuth Consent Grant AuditLogs | where OperationName == "Consent to application" | extend ConsentType = tostring(parse_json(tostring(parse_json(tostring(TargetResources[bash].ModifiedProperties))[bash])).NewValue) | extend AppName = tostring(TargetResources[bash].DisplayName) | extend AppId = tostring(parse_json(tostring(InitiatedBy.user)).IpAddress) | project TimeGenerated, OperationName, AppName, AppId, ConsentType, InitiatedBy
Step-by-step guide:
- Navigate to Microsoft Entra ID > Monitoring > Sign-in logs or Audit logs.
- For advanced hunting, go to Microsoft Defender XDR or Azure Sentinel.
- Paste the provided Kusto Query Language (KQL) query into the query window.
- This query specifically filters for “Consent to application” operations, extracts the application name, ID, and the type of consent (e.g., “AllPrincipals” for admin consent).
- Run the query and set up a custom alert rule to notify your security team whenever a consent event occurs, allowing for rapid investigation.
6. Hardening Copilot Studio Security
While specific CoPhish mitigations are evolving, general Copilot Studio security is paramount.
Verified Command / Procedure:
Review and manage Power Platform admin roles (which govern Copilot Studio) Add-MgRoleManagementDirectoryRoleAssignment -PrincipalId $(Get-MgUser -UserId "[email protected]").Id -RoleDefinitionId $(Get-MgDirectoryRole -Filter "displayName eq 'Power Platform Administrator'").Id
Step-by-step guide:
- Restrict creation rights for Copilot Studio agents. Not all users should be able to publish agents.
- Use the Microsoft Graph command above to assign the “Power Platform Administrator” role only to trusted personnel. Replace `[email protected]` with the appropriate UPN.
- Regularly audit published agents and their data connections within the Power Platform Admin Center. Scrutinize any agent that redirects users or requests external HTTP calls.
7. Blocking Malicious Applications via Conditional Access
A proactive defense is to block known malicious application IDs or patterns.
Verified Command / Procedure:
// Conditional Access Policy (JSON Template for Graph API)
{
"displayName": "Block High-Risk OAuth Apps",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"]
},
"clientApplications": {
"servicePrincipalIds": ["MALICIOUS_APP_ID_1", "MALICIOUS_APP_ID_2"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
Step-by-step guide:
- This JSON defines a Conditional Access policy that blocks authentication requests from specific malicious service principals (applications).
- In the Microsoft Entra admin center, navigate to Security > Conditional Access > Create new policy.
- Under Cloud apps or actions, select “All cloud apps”.
- Under Conditions > Client applications, select “Yes” for Configure and select “Service principal” under Service principal IDs. Add the AppIds of any malicious applications you have identified.
- Under Grant, select “Block access” and create the policy. This will prevent any user from authenticating to or granting consent to the listed applications.
What Undercode Say:
- Identity is the New Perimeter: The CoPhish attack reinforces that the primary attack surface has shifted from network firewalls to identity providers and consent screens. A single approved OAuth grant can bypass multifactor authentication and other network-level defenses.
- Abuse of AI Tools is Inevitable: As AI assistants become deeply integrated into business workflows, they will be increasingly weaponized. The trust users place in these automated systems creates a powerful social engineering vector.
The CoPhish technique is not a flaw in Copilot’s code but a clever manipulation of its legitimate functionality. It signifies a strategic pivot by attackers towards “trusted path” attacks, exploiting the very tools designed to enhance productivity. Defending against this requires a fundamental shift from traditional phishing education—which focuses on URLs and attachments—towards application and consent literacy. Security teams must now treat their identity provider’s application registry with the same severity as their domain admin group, implementing strict governance, monitoring, and control over which applications can be granted permissions. The era of AI-powered attacks has begun, and our defenses must evolve just as rapidly.
Prediction:
The success of CoPhish will catalyze a new wave of AI-assisted social engineering, leading to a proliferation of similar attacks targeting other AI platforms and SaaS productivity tools. We predict a rise in “conversational hijacking,” where malicious agents within trusted AI interfaces will not only phish for credentials but also manipulate business data, initiate fraudulent transactions, and spread misinformation, forcing the development of new AI-specific security protocols and runtime integrity checks for AI-generated actions.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamesagombar New – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
