New CoPhish attack steals OAuth tokens via Copilot Studio agents
A new phishing technique dubbed 'CoPhish' weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains.
Articles tagged with: #oauth
Clear filter
New 'CoPhish' technique wraps OAuth phishing in Microsoft Copilot
A new phishing technique dubbed 'CoPhish' weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains.
ChatGPT Atlas Stores OAuth Tokens Unencrypted Leads to Unauthorized Access to User Accounts
A significant vulnerability in OpenAI's newly released ChatGPT Atlas browser reveals that it stores unencrypted OAuth tokens in a SQLite database with overly permissive file settings on macOS, potentially allowing unauthorized access to user accounts. This flaw, discovered by Pete Johnson just days after the browser's October 21, 2025, launch, bypasses standard encryption practices used
ThreatsDay Bulletin: $176M Crypto Fine, Hacking Formula 1, Chromium Vulns, AI Hijack & More
Criminals don't need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you're already a target. This week's ThreatsDay highlights show exactly how those weak points are being exploited - from overlooked
Hackers Weaponizing OAuth Applications for Persistent Cloud Access Even After Password Reset
Cloud account takeover attacks have evolved into a sophisticated threat as cybercriminals and state-sponsored actors increasingly weaponize OAuth applications to establish persistent access within compromised environments. These malicious actors are exploiting the fundamental trust mechanisms of cloud authentication systems, specifically targeting Microsoft Entra ID environments where they can hijack user accounts, conduct reconnaissance, exfiltrate sensitive
Beyond credentials: weaponizing OAuth applications for persistent cloud access
submitted by /u/jnazario [link] [comments]
Azure App Impersonation via Unicode
We recently discovered a Unicode vulnerability that lets attackers impersonate Microsoft apps in Azure without stealing passwords or triggering alerts. We're calling it Azure App Mirage. I t abuses invisible Unicode characters (like zero-width spaces) to make malicious apps look like legit ones (e.g., "AzurePortal"). This trick bypassed Microsoft's reserved name protections and would let attackers: Create apps that looked like trusted Microsoft services Gain initial access via OAuth consent...
Find hidden malicious OAuth apps in Microsoft 365 using Cazadora
Malicious OAuth apps can hide inside Microsoft 365 tenants. Huntress Labs' Cazadora script helps uncover rogue apps before they lead to a breach. Dive deeper in their Tradecraft Tuesday sessions.
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user to any URL, including an OAuth consent attack.
Scattered LAPSUS$ Hunters Analysis
In 2025, researchers tracked the rise of scattered lapsus$ hunters , a collaboration between scattered spider, lapsus$, and shinyhunters. The alliance combines social engineering, insider recruitment, and large-scale data theft, shifting from isolated breaches to coordinated extortion campaigns. highlights • Late 2024: Salesforce intrusions through vishing and rogue app integrations • Early 2025: Theft of OAuth tokens from Drift and Salesloft environments • August 2025: Telegram channel...
OAuth Gone Wrong: When "Sign in with Google" Opens a Pandora's Box 🔑
submitted by /u/JadeLuxe [link] [comments]
SaaS Threats are Escalating: A Follow-Up to Our Recent Analysis
SaaS attacks are accelerating fast. Our latest research and fireside chat with experts from AppOmni and Bishop Fox expose how threat actors are exploiting OAuth, targeting admins, and moving laterally across cloud apps - and what defenders can do to stop them.