Security researchers have identified a new phishing technique called CoPhish that weaponizes Microsoft Copilot Studio agents to steal OAuth tokens. By embedding fake login or consent flows in shared agents, attackers can trick users into granting access to their Microsoft accounts, allowing theft of email, chat, calendar, files and automation capabilities. Microsoft acknowledges the risk and says it will address the issue through product updates. Experts recommend immediate mitigations such as restricting third‑party app consent, enforcing conditional access and multi‑factor authentication, and closely monitoring unusual app registrations and token grants.
Leer más → 