Security researchers warn of new Copilot Studio-based OAuth phishing attack risk

October 26 2025

A new OAuth phishing attack through Copilot Studio uncovered by security researchers can open up users to arbitrary URLs and delivery OAuth phishing attacks that exfiltrate tokens.

“This scenario is an example of why it’s important to treat new cloud services with caution, especially when they include content that end users can modify,” wrote Datadog senior security researcher Katie Knowles.

The attack stems from risks posed to administrative users of accidental consent to OAuth applications. A malicious link sent to a user can direct them to a web page that looks like a Microsoft 365 Copilot interface but is really a Copilot Studio agent styled to disguise itself. The agent’s “Login” settings can be changed to redirect the user to an external URL, prompting a login that generates a token and enables malicious actions within the user-consented scope.

Knowles provided this visual explanation of the flow:

FREE Membership Required to View Full Content:

Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

Security researchers warn of new Copilot Studio-based OAuth phishing attack risk

FREE Membership Required to View Full Content:

Power BI in Organizational Transformation: Stories of Data-Driven Triumph

Microsoft refreshes Azure DevOps update plans into 2019

Reverse transactions in Microsoft Dynamics 365 for Finance and Operations, Part 2

Best of 2011: Top Microsoft Dynamics NAV Stories of the Year