New “CoPhish“ Attack Leverages Microsoft Copilot for account Takeover – Here’s How to Protect Your Institution
A refined phishing campaign dubbed “CoPhish” is exploiting the trust users place in Microsoft Copilot to steal account credentials and hijack sessions.Discovered by Datadog researchers, this attack leverages a legitimate Microsoft URL and design, making it exceptionally tough to detect. This article breaks down how CoPhish works, the risks it poses to your organization, and the steps you can take to defend against it.
Understanding the Threat
CoPhish doesn’t rely on traditional malicious links. Instead, it presents users with a seemingly legitimate Microsoft Copilot Studio application. Attackers distribute this through familiar channels like email phishing or Team messages, capitalizing on the widespread adoption of Microsoft’s AI tools.
Here’s how the attack unfolds:
* Deceptive Application: You receive a link to what appears to be a standard Microsoft Copilot service.
* Legitimate Infrastructure: The URL is hosted on Microsoft’s own servers, adding a layer of credibility.
* Subtle Clue: A small “Microsoft Power Platform” icon is present, but easily overlooked.
* OAuth Redirection: Accepting the app’s permissions redirects you to [token.botframework.com] for bot connection validation – a standard Copilot Studio process.
* Silent Hijacking: Your session token is silently forwarded to the attacker without any notification.
* Invisible Connection: Because the token originates from Microsoft’s IP addresses, the connection to the attacker doesn’t appear in your web traffic logs.
* Agent Access: The attacker can now chat with the agent as if they were you.
Why is CoPhish so perilous?
This attack is especially concerning as it bypasses many traditional security measures.It leverages a trusted domain and authentication process, making it difficult to flag as malicious. Moreover, the lack of visible connection attempts in web traffic makes detection post-compromise extremely challenging.
Visualizing the Attack Flow
[Image of Cophish attack flow diagram – Source: Datadog] (Refer to the original article for the image)
This diagram illustrates the seamless flow from user access to attacker token acquisition, highlighting the stealthy nature of the attack.
Protecting Your Organization: Proactive Measures
Microsoft acknowledges the threat and recommends several steps to mitigate risk. However, a layered approach is crucial. Here’s what you should do:
* Limit Administrative privileges: Reduce the number of users with broad administrative access.
* Reduce Application permissions: Implement the principle of least privilege, granting applications only the permissions they absolutely need.
* Enforce Governance Policies: Establish clear policies regarding application usage and approval.
* Strengthen Application Consent Policy: Implement a robust policy to cover gaps in Microsoft’s default security baseline.
* Disable User Application Creation Defaults: Prevent users from creating applications without proper authorization.
* Monitor Entra ID and Copilot Studio: Closely monitor application consent events and Copilot studio agent creation activity.
Datadog’s Security Considerations
Beyond Microsoft’s recommendations, Datadog suggests focusing on these key areas:
* Application Consent Monitoring: Actively monitor application consent requests within your Entra ID.
* Copilot Studio Agent Creation: Track the creation of new Copilot Studio agents for any unusual activity.
* Behavioral Analysis: Implement tools that can detect anomalous user behavior, even within legitimate applications.
Staying Ahead of the Curve
CoPhish demonstrates the evolving sophistication of phishing attacks. Attackers are increasingly leveraging trusted platforms and legitimate infrastructure to bypass traditional security measures. By implementing a proactive, layered security strategy and staying informed about emerging threats, you can significantly reduce your organization’s risk of falling victim to this type of attack.
Resources:
* Original BleepingComputer Article
