Novel Attacks Exploit Microsoft Copilot and Copilot Studio for Data Theft and OAuth Token Compromise
Security researchers have identified two distinct attack techniques targeting Microsoft's AI-powered platforms. The first, dubbed CoPhish, leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests through legitimate Microsoft domains, enabling attackers to steal OAuth tokens. By customizing Copilot Studio chatbots and exploiting the platform's "demo website" feature, attackers can trick users into authenticating with malicious applications, potentially granting unauthorized access to sensitive resources. Microsoft has acknowledged the issue and is working on product updates to mitigate the risk, emphasizing the need for organizations to strengthen governance and consent processes.
Separately, a vulnerability in Microsoft 365 Copilot was discovered that allowed attackers to use indirect prompt injection via Mermaid diagrams to exfiltrate sensitive tenant data, such as emails. By embedding malicious instructions in seemingly benign prompts, attackers could manipulate Copilot to retrieve and encode confidential information. Although Microsoft has since patched this flaw, the incident highlights the emerging risks associated with integrating AI assistants and third-party tools, as well as the challenges in securing complex, automated workflows within enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose CoPhish OAuth token theft via Copilot Studio agents
A report published on October 25, 2025 detailed a 'CoPhish' attack in which Copilot Studio agents can be abused to steal OAuth tokens. The disclosure added a separate token-theft technique affecting Microsoft's Copilot-related platform.
Researchers disclose Mermaid indirect prompt injection against Microsoft 365 Copilot
A report published on October 24, 2025 described a 'Sneaky Mermaid' attack that abuses indirect prompt injection in Microsoft 365 Copilot to steal data. The disclosure identified a new attack technique targeting Microsoft's AI assistant ecosystem.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OAuth Phishing and Malicious Application Abuse in Microsoft 365 Environments
Attackers are increasingly leveraging Microsoft Copilot Studio to facilitate OAuth phishing attacks by exploiting its ability to host customizable agents and redirect users to arbitrary URLs. Security researchers have demonstrated that Copilot Studio agents, which appear as legitimate Microsoft services, can be configured with a 'Login' button that redirects unsuspecting users to malicious OAuth consent pages. This technique increases the credibility of phishing attempts, as the initial interaction occurs on a trusted Microsoft domain, making it more likely for users to grant permissions to malicious applications. Once a user consents, attackers can exfiltrate OAuth tokens, granting them persistent access to sensitive data and services within the victim's Microsoft 365 environment. The flexibility of Copilot Studio, while beneficial for legitimate automation, also provides attackers with a powerful tool to craft convincing phishing lures and automate token exfiltration. Security experts emphasize the importance of reviewing and tightening Entra ID application consent policies, especially in light of recent and upcoming policy updates from Microsoft. Despite improvements in consent policy enforcement, risks remain, particularly when users with elevated privileges, such as Application Administrators, are able to grant broad permissions. In parallel, security researchers have highlighted the prevalence of hidden malicious OAuth applications within Microsoft 365 tenants. Open-source tools like Cazadora have been developed to help administrators audit their environments for suspicious applications, such as those with anomalous names or reply URLs. Common indicators of malicious OAuth apps include names mimicking user accounts, generic test names, or non-alphanumeric strings, as well as reply URLs pointing to local loopback addresses. The discovery of even a single suspicious app often signals a broader compromise, underscoring the need for comprehensive audits. Security teams are urged to regularly inspect both Enterprise Applications and Application Registrations for signs of abuse. The combination of sophisticated phishing techniques using Copilot Studio and the widespread presence of malicious OAuth apps represents a significant threat to Microsoft 365 environments. Proactive monitoring, user education, and strict consent policies are critical to mitigating these risks. Organizations should remain vigilant for new attack vectors that exploit trusted cloud services. The evolving landscape of OAuth-based attacks requires continuous adaptation of security controls and incident response strategies. Collaboration between security researchers and cloud service providers is essential to stay ahead of emerging threats. The integration of automation and AI-driven services like Copilot Studio into enterprise environments necessitates a reevaluation of traditional security assumptions. As attackers continue to innovate, defenders must leverage both technical controls and threat intelligence to protect their organizations.
Mar 21, 2026
Microsoft Copilot flaws turned prompt injection into zero-click data theft
Researchers reported that vulnerabilities in Microsoft 365 Copilot and Consumer Copilot allowed attackers to turn prompt injection into data exfiltration, memory poisoning, and persistent compromise. Microsoft assigned `CVE-2026-24299` to the main issue set and rolled out fixes across late 2025 and early 2026, while a related Microsoft Excel flaw, `CVE-2026-26144`, showed how a conventional application bug could be chained with Copilot Agent mode to silently extract spreadsheet data. In the Copilot attacks, malicious content abused HTML preview rendering to leak sensitive information through external requests, first with CSS background images and later with `@font-face`, and researchers said users could be coerced into triggering the preview during normal interaction, creating a near zero-click exfiltration path. The research also showed that Copilot’s memory features could be poisoned to add or delete stored facts and implant persistent instructions that altered future sessions, enabling a backdoor dubbed **SpAIware** that continued leaking secrets over time. Similar issues were described in consumer Copilot, including durable-memory manipulation and browser-navigation exfiltration through Edge-integrated tooling. The findings underscore a broader security shift: AI assistants can collapse trust boundaries inside host applications, raising the impact of older flaws and forcing defenders to reassess assistant permissions, restrict outbound network access from AI-enabled apps, and separately monitor AI-initiated network activity.
May 4, 2026
Prompt Injection Vulnerabilities in Microsoft Copilot Studio AI Agents
Security researchers demonstrated that Microsoft Copilot Studio's no-code AI agent platform is susceptible to prompt injection attacks, allowing unauthorized access to sensitive business data. By leveraging the platform's ease of use, even non-technical employees can create AI agents that integrate with critical business systems such as SharePoint, Outlook, and Teams. In controlled tests, researchers were able to extract customer credit card information and manipulate booking systems to create fraudulent transactions, such as booking a $0 vacation, by issuing carefully crafted prompts to the AI agents. The core risk arises from the democratization of AI agent creation, which, while boosting productivity, also increases the attack surface for organizations. The lack of technical safeguards and the inherent vulnerabilities of large language models (LLMs) make it easy for attackers or even well-meaning users to bypass intended security controls. Experts warn that these agentic tools, if not properly secured, can lead to significant data exposure and workflow hijacking, underscoring the urgent need for robust security practices and oversight when deploying AI-powered automation in business environments.
Mar 21, 2026