How attackers use Microsoft agents to steal OAuth tokens<\/title>\n<\/head>\n<body>\n <article aria-labelledby=\"post-title\">\n \n <div id=\"post-title\" style=\"display:none;\">How attackers use Microsoft agents to steal OAuth tokens<\/div>\n\n <div>\n <span>Security<\/span>\n <time datetime=\"2025-10-27\">October 27, 2025<\/time>\n <span>\u2022<\/span>\n <span>By Erik van Klinken (Techzine summary)<\/span>\n <\/div>\n\n <p>\n AI agents that run inside Microsoft Copilot Studio can be abused to harvest OAuth tokens \u2014 a tactic Datadog researchers have documented that tricks users into granting permissions to malicious agents. This post summarizes how the attack works, who is at risk, and practical steps to reduce exposure.\n <\/p>\n\n <h2>What happened \u2014 a quick summary<\/h2>\n <p>\n Researchers observed that attackers can create or share Copilot Studio \u201ctopics\u201d \u2014 agent workflows that look and behave like normal web pages \u2014 which prompt users to sign in and inadvertently grant OAuth permissions. Those tokens let attackers perform actions on behalf of the user, such as sending email or modifying calendar entries, effectively turning trusted identities into attack vectors.\n <\/p>\n\n <h2>How the attack works (in plain terms)<\/h2>\n <p>The abuse hinges on three pieces:<\/p>\n <ul>\n <li><strong>Agent-as-page interface:<\/strong> The malicious agent is presented as a web-like page with a chat interface that asks the user to log in \u2014 this lowers suspicion.<\/li>\n <li><strong>OAuth consent:<\/strong> When the user authenticates, the agent requests OAuth permissions. If granted, the agent receives tokens tied to that user account.<\/li>\n <li><strong>Token misuse:<\/strong> With OAuth tokens, the attacker can perform actions (email, calendar updates, etc.) using the victim\u2019s privileges without needing their password.<\/li>\n <\/ul>\n\n <h3>Why this is especially tricky<\/h3>\n <p>\n Because the agent pages and consent flows can look like legitimate Microsoft pages and because Copilot Studio workflows are shareable, victims may not realize they are authorizing a malicious application. Datadog refers to this method as \u201cCoPhish.\u201d\n <\/p>\n\n <h2>Who is most at risk<\/h2>\n <p>\n Organizations that allow users to create or run Copilot Studio agents in their own Entra ID tenant are exposed, especially if administrators can approve application permissions without additional verification. Unprivileged users can still cause damage by granting tokens; administrators can make the problem worse by pre-approving permissions for apps within their tenant.\n <\/p>\n\n <h2>Immediate mitigation steps<\/h2>\n <p>Technical teams can take several practical steps to reduce risk quickly:<\/p>\n <ul>\n <li><strong>Restrict who can create agents:<\/strong> Limit Copilot Studio agent creation to a small number of trusted accounts or disable self-service creation in Entra where possible.<\/li>\n <li><strong>Harden app consent policies:<\/strong> Require admin consent for permissions that allow write access to mail, calendars, and files. Review and tighten tenant consent settings.<\/li>\n <li><strong>Monitor OAuth approvals:<\/strong> Audit recent app consent events and revoke suspicious permissions or tokens promptly.<\/li>\n <li><strong>User education:<\/strong> Train users to recognize unusual consent requests and report unexpected sign-in prompts immediately.<\/li>\n <\/ul>\n\n <h2>Longer-term controls and best practices<\/h2>\n <p>\n Beyond immediate mitigations, consider implementing conditional access policies that limit what tokens can do, using least privilege for application permissions, and integrating identity threat detection tools that flag anomalous OAuth usage. Regularly review external app approvals and ensure unverified apps cannot be granted broad permissions by default.\n <\/p>\n\n <h2>Conclusion<\/h2>\n <p>\n Agent-based workflows bring productivity gains, but they also expand the attack surface. Treat Copilot Studio agents and any shared workflows as potential supply-chain-like risks: enforce strict creation and consent policies, keep an audit trail, and prepare a rapid response process for revoking tokens and informing affected users.\n <\/p>\n\n <div>\n <strong>Source:<\/strong>\n <div>Summary based on Techzine\u2019s report on Datadog findings. <a href=\"https:\/\/www.techzine.eu\/news\/security\/13578\/how-attackers-use-microsoft-agents-to-steal-oauth-tokens\/\" target=\"_blank\" rel=\"noopener noreferrer\">Original article (Techzine)<\/a><\/div>\n <\/div>\n <\/article>\n<\/body>\n<\/html>\n\n\n\n\n<a href=\"https:\/\/www.techzine.eu\/news\/security\/13578\/how-attackers-use-microsoft-agents-to-steal-oauth-tokens\/\">\n <button>Read the Original Article<\/button>\n <\/a>\n\n\n\n<p><\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"excerpt":{"rendered":"<p>How attackers use Microsoft agents to steal OAuth tokens How attackers use Microsoft agents to steal OAuth tokens Security October 27, 2025 \u2022 By Erik van Klinken (Techzine summary) AI agents that run inside Microsoft Copilot Studio can be abused to harvest OAuth tokens \u2014 a tactic Datadog researchers have documented that tricks users into granting permissions to malicious agents. This post summarizes how the attack works, who is at risk, and practical steps to reduce exposure. What happened \u2014 a quick summary Researchers observed that attackers can create or share Copilot Studio \u201ctopics\u201d \u2014 agent workflows that look and behave like normal web pages \u2014 which prompt users to sign in and inadvertently grant OAuth permissions. Those tokens let attackers perform actions on behalf of the user, such as sending email or modifying calendar entries, effectively turning trusted identities into attack vectors. How the attack works (in plain terms) The abuse hinges on three pieces: Agent-as-page interface: The malicious agent is presented as a web-like page with a chat interface that asks the user to log in \u2014 this lowers suspicion. OAuth consent: When the user authenticates, the agent requests OAuth permissions. If granted, the agent receives tokens tied to that user account. Token misuse: With OAuth tokens, the attacker can perform actions (email, calendar updates, etc.) using the victim\u2019s privileges without needing their password. Why this is especially tricky Because the agent pages and consent flows can look like legitimate Microsoft pages and because Copilot Studio workflows are shareable, victims may not realize they are authorizing a malicious application. Datadog refers to this method as \u201cCoPhish.\u201d Who is most at risk Organizations that allow users to create or run Copilot Studio agents in their own Entra ID tenant are exposed, especially if administrators can approve application permissions without additional verification. Unprivileged users can still cause damage by granting tokens; administrators can make the problem worse by pre-approving permissions for apps within their tenant. Immediate mitigation steps Technical teams can take several practical steps to reduce risk quickly: Restrict who can create agents: Limit Copilot Studio agent creation to a small number of trusted accounts or disable self-service creation in Entra where possible. Harden app consent policies: Require admin consent for permissions that allow write access to mail, calendars, and files. Review and tighten tenant consent settings. Monitor OAuth approvals: Audit recent app consent events and revoke suspicious permissions or tokens promptly. User education: Train users to recognize unusual consent requests and report unexpected sign-in prompts immediately. Longer-term controls and best practices Beyond immediate mitigations, consider implementing conditional access policies that limit what tokens can do, using least privilege for application permissions, and integrating identity threat detection tools that flag anomalous OAuth usage. Regularly review external app approvals and ensure unverified apps cannot be granted broad permissions by default. Conclusion Agent-based workflows bring productivity gains, but they also expand the attack surface. Treat Copilot Studio agents and any shared workflows as potential supply-chain-like risks: enforce strict creation and consent policies, keep an audit trail, and prepare a rapid response process for revoking tokens and informing affected users. Source: Summary based on Techzine\u2019s report on Datadog findings. Original article (Techzine) Read the Original Article<\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"author":1,"featured_media":21809,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[114,1,19,20,24],"tags":[],"class_list":["post-21805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attacks","category-blog","category-cyber-security","category-data-analysis","category-technology"],"aioseo_notices":[],"gt_translate_keys":[{"key":"link","format":"url"}],"_links":{"self":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/comments?post=21805"}],"version-history":[{"count":3,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805\/revisions"}],"predecessor-version":[{"id":21808,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805\/revisions\/21808"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media\/21809"}],"wp:attachment":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media?parent=21805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/categories?post=21805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/tags?post=21805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":21805,"date":"2025-10-28T16:14:46","date_gmt":"2025-10-28T15:14:46","guid":{"rendered":"https:\/\/ig.technology\/?p=21805"},"modified":"2025-10-28T17:39:26","modified_gmt":"2025-10-28T16:39:26","slug":"how-attackers-use-microsoft-agents-to-steal-oauth-tokens","status":"publish","type":"post","link":"https:\/\/ig.technology\/index.php\/2025\/10\/28\/how-attackers-use-microsoft-agents-to-steal-oauth-tokens\/","title":{"rendered":"How attackers use Microsoft agents to steal OAuth tokens","gt_translate_keys":[{"key":"rendered","format":"text"}]},"content":{"rendered":"\n\n\n\n \n \n How attackers use Microsoft agents to steal OAuth tokens<\/title>\n<\/head>\n<body>\n <article aria-labelledby=\"post-title\">\n \n <div id=\"post-title\" style=\"display:none;\">How attackers use Microsoft agents to steal OAuth tokens<\/div>\n\n <div>\n <span>Security<\/span>\n <time datetime=\"2025-10-27\">October 27, 2025<\/time>\n <span>\u2022<\/span>\n <span>By Erik van Klinken (Techzine summary)<\/span>\n <\/div>\n\n <p>\n AI agents that run inside Microsoft Copilot Studio can be abused to harvest OAuth tokens \u2014 a tactic Datadog researchers have documented that tricks users into granting permissions to malicious agents. This post summarizes how the attack works, who is at risk, and practical steps to reduce exposure.\n <\/p>\n\n <h2>What happened \u2014 a quick summary<\/h2>\n <p>\n Researchers observed that attackers can create or share Copilot Studio \u201ctopics\u201d \u2014 agent workflows that look and behave like normal web pages \u2014 which prompt users to sign in and inadvertently grant OAuth permissions. Those tokens let attackers perform actions on behalf of the user, such as sending email or modifying calendar entries, effectively turning trusted identities into attack vectors.\n <\/p>\n\n <h2>How the attack works (in plain terms)<\/h2>\n <p>The abuse hinges on three pieces:<\/p>\n <ul>\n <li><strong>Agent-as-page interface:<\/strong> The malicious agent is presented as a web-like page with a chat interface that asks the user to log in \u2014 this lowers suspicion.<\/li>\n <li><strong>OAuth consent:<\/strong> When the user authenticates, the agent requests OAuth permissions. If granted, the agent receives tokens tied to that user account.<\/li>\n <li><strong>Token misuse:<\/strong> With OAuth tokens, the attacker can perform actions (email, calendar updates, etc.) using the victim\u2019s privileges without needing their password.<\/li>\n <\/ul>\n\n <h3>Why this is especially tricky<\/h3>\n <p>\n Because the agent pages and consent flows can look like legitimate Microsoft pages and because Copilot Studio workflows are shareable, victims may not realize they are authorizing a malicious application. Datadog refers to this method as \u201cCoPhish.\u201d\n <\/p>\n\n <h2>Who is most at risk<\/h2>\n <p>\n Organizations that allow users to create or run Copilot Studio agents in their own Entra ID tenant are exposed, especially if administrators can approve application permissions without additional verification. Unprivileged users can still cause damage by granting tokens; administrators can make the problem worse by pre-approving permissions for apps within their tenant.\n <\/p>\n\n <h2>Immediate mitigation steps<\/h2>\n <p>Technical teams can take several practical steps to reduce risk quickly:<\/p>\n <ul>\n <li><strong>Restrict who can create agents:<\/strong> Limit Copilot Studio agent creation to a small number of trusted accounts or disable self-service creation in Entra where possible.<\/li>\n <li><strong>Harden app consent policies:<\/strong> Require admin consent for permissions that allow write access to mail, calendars, and files. Review and tighten tenant consent settings.<\/li>\n <li><strong>Monitor OAuth approvals:<\/strong> Audit recent app consent events and revoke suspicious permissions or tokens promptly.<\/li>\n <li><strong>User education:<\/strong> Train users to recognize unusual consent requests and report unexpected sign-in prompts immediately.<\/li>\n <\/ul>\n\n <h2>Longer-term controls and best practices<\/h2>\n <p>\n Beyond immediate mitigations, consider implementing conditional access policies that limit what tokens can do, using least privilege for application permissions, and integrating identity threat detection tools that flag anomalous OAuth usage. Regularly review external app approvals and ensure unverified apps cannot be granted broad permissions by default.\n <\/p>\n\n <h2>Conclusion<\/h2>\n <p>\n Agent-based workflows bring productivity gains, but they also expand the attack surface. Treat Copilot Studio agents and any shared workflows as potential supply-chain-like risks: enforce strict creation and consent policies, keep an audit trail, and prepare a rapid response process for revoking tokens and informing affected users.\n <\/p>\n\n <div>\n <strong>Source:<\/strong>\n <div>Summary based on Techzine\u2019s report on Datadog findings. <a href=\"https:\/\/www.techzine.eu\/news\/security\/13578\/how-attackers-use-microsoft-agents-to-steal-oauth-tokens\/\" target=\"_blank\" rel=\"noopener noreferrer\">Original article (Techzine)<\/a><\/div>\n <\/div>\n <\/article>\n<\/body>\n<\/html>\n\n\n\n\n<a href=\"https:\/\/www.techzine.eu\/news\/security\/13578\/how-attackers-use-microsoft-agents-to-steal-oauth-tokens\/\">\n <button>Read the Original Article<\/button>\n <\/a>\n\n\n\n<p><\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"excerpt":{"rendered":"<p>How attackers use Microsoft agents to steal OAuth tokens How attackers use Microsoft agents to steal OAuth tokens Security October 27, 2025 \u2022 By Erik van Klinken (Techzine summary) AI agents that run inside Microsoft Copilot Studio can be abused to harvest OAuth tokens \u2014 a tactic Datadog researchers have documented that tricks users into granting permissions to malicious agents. This post summarizes how the attack works, who is at risk, and practical steps to reduce exposure. What happened \u2014 a quick summary Researchers observed that attackers can create or share Copilot Studio \u201ctopics\u201d \u2014 agent workflows that look and behave like normal web pages \u2014 which prompt users to sign in and inadvertently grant OAuth permissions. Those tokens let attackers perform actions on behalf of the user, such as sending email or modifying calendar entries, effectively turning trusted identities into attack vectors. How the attack works (in plain terms) The abuse hinges on three pieces: Agent-as-page interface: The malicious agent is presented as a web-like page with a chat interface that asks the user to log in \u2014 this lowers suspicion. OAuth consent: When the user authenticates, the agent requests OAuth permissions. If granted, the agent receives tokens tied to that user account. Token misuse: With OAuth tokens, the attacker can perform actions (email, calendar updates, etc.) using the victim\u2019s privileges without needing their password. Why this is especially tricky Because the agent pages and consent flows can look like legitimate Microsoft pages and because Copilot Studio workflows are shareable, victims may not realize they are authorizing a malicious application. Datadog refers to this method as \u201cCoPhish.\u201d Who is most at risk Organizations that allow users to create or run Copilot Studio agents in their own Entra ID tenant are exposed, especially if administrators can approve application permissions without additional verification. Unprivileged users can still cause damage by granting tokens; administrators can make the problem worse by pre-approving permissions for apps within their tenant. Immediate mitigation steps Technical teams can take several practical steps to reduce risk quickly: Restrict who can create agents: Limit Copilot Studio agent creation to a small number of trusted accounts or disable self-service creation in Entra where possible. Harden app consent policies: Require admin consent for permissions that allow write access to mail, calendars, and files. Review and tighten tenant consent settings. Monitor OAuth approvals: Audit recent app consent events and revoke suspicious permissions or tokens promptly. User education: Train users to recognize unusual consent requests and report unexpected sign-in prompts immediately. Longer-term controls and best practices Beyond immediate mitigations, consider implementing conditional access policies that limit what tokens can do, using least privilege for application permissions, and integrating identity threat detection tools that flag anomalous OAuth usage. Regularly review external app approvals and ensure unverified apps cannot be granted broad permissions by default. Conclusion Agent-based workflows bring productivity gains, but they also expand the attack surface. Treat Copilot Studio agents and any shared workflows as potential supply-chain-like risks: enforce strict creation and consent policies, keep an audit trail, and prepare a rapid response process for revoking tokens and informing affected users. Source: Summary based on Techzine\u2019s report on Datadog findings. Original article (Techzine) Read the Original Article<\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"author":1,"featured_media":21809,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[114,1,19,20,24],"tags":[],"class_list":["post-21805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attacks","category-blog","category-cyber-security","category-data-analysis","category-technology"],"aioseo_notices":[],"gt_translate_keys":[{"key":"link","format":"url"}],"_links":{"self":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/comments?post=21805"}],"version-history":[{"count":3,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805\/revisions"}],"predecessor-version":[{"id":21808,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/21805\/revisions\/21808"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media\/21809"}],"wp:attachment":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media?parent=21805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/categories?post=21805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/tags?post=21805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}