Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CoPhish OAuth phishing hardening for Copilot Studio and Entra ID

Defensive Guidance
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

CoPhish has prompted new hardening guidance for Copilot Studio and Entra ID, because attackers can abuse trusted Microsoft-hosted flows to steal OAuth tokens. Microsoft and Datadog recommend limiting administrative privileges, reducing application permissions, and enforcing governance controls to shrink the attack surface. The guidance also calls for monitoring application consent and Copilot Studio agent creation events.

Related Happenings

Microsoft Teams and Defender for Office 365 add centralized external-user blocking controls

Security Tool/Service
First: 24.12.2025 18:22 Last: 24.12.2025 18:22 Sources 1

About this happening: **Microsoft Teams** is gaining centralized controls that let security admins block **external users**, suspicious **domains**, and malicious content handling in **Defender for Off...

Open Happening

Microsoft Teams defaults on messaging safety protections for uncustomized tenants in January 2026

Security Tool/Service
First: 23.12.2025 15:23 Last: 23.12.2025 15:23 Sources 1

About this happening: **Microsoft Teams** will turn on **messaging safety features by default** starting **January 12, 2026**, expanding protection against **malicious content** for tenants on default...

Open Happening

Lies-in-the-Loop manipulation of HITL approval dialogs in agentic AI

Technical Analysis
First: 17.12.2025 18:00 Last: 17.12.2025 18:00 Sources 1

About this happening: **Checkmarx** researchers detailed **Lies-in-the-Loop (LITL)**, a technique that can manipulate **Human-in-the-Loop (HITL)** approval dialogs so dangerous actions look harmless an...

Open Happening

Microsoft hardens Microsoft 365 and Office 2024 by disabling ActiveX and blocking legacy-auth access

Defensive Guidance
First: 11.12.2025 18:00 Last: 11.12.2025 18:00 Sources 1

About this happening: Microsoft hardened **Microsoft 365** and **Office 2024** by disabling **all ActiveX controls** and tightening defaults to block **legacy authentication** access to **SharePoint**,...

Open Happening

ICO review of mobile games under Children’s code

Public Sector Action
First: 02.12.2025 12:30 Last: 02.12.2025 12:30 Sources 1

About this happening: The **ICO** launched a review of **10 popular mobile games**, stepping up public-sector scrutiny of the **mobile gaming sector** over children's privacy risks. The review will ass...

Open Happening

Timeline

  1. 25.10.2025 19:16 1 articles · 7mo ago

    Datadog discloses CoPhish OAuth phishing

    Initial Disclosure

    Datadog Security Labs described CoPhish, a phishing technique that abuses Microsoft Copilot Studio agents hosted on copilotstudio.microsoft.com to send fraudulent OAuth consent requests through legitimate Microsoft domains and steal session tokens. The workflow can be delivered through email phishing campaigns or Team messages, and the malicious agent flow can route a target user through a Login topic and token-forwarding steps involving Burp Collaborator.

    Show sources
    Open in new tab
  2. 25.10.2025 19:16 1 articles · 7mo ago

    Microsoft plans future CoPhish product updates

    Mitigation Patch Update

    Microsoft said it has investigated CoPhish and will address the underlying causes through future product updates, while also evaluating additional safeguards to harden governance and consent experiences for Microsoft Copilot Studio. Microsoft also advised customers to limit administrative privileges, reduce application permissions, and enforce governance policies to help organizations using Microsoft Copilot Studio and Entra ID reduce OAuth consent abuse.

    Show sources
    Open in new tab