Hackers Abuse Microsoft Copilot for Sophisticated Phishing Attack

As organizations increasingly integrate Microsoft Copilot into their daily workflows, cybercriminals have developed sophisticated phishing campaigns specifically targeting users of this AI-powered assistant. 

Microsoft Copilot, which launched in 2023, has rapidly become an essential productivity tool for many organizations, integrating deeply with Microsoft 365 apps to provide AI-powered assistance. 

However, this widespread adoption has created a new attack vector that cybercriminals eagerly exploit. 

According to recent findings from Cofense, attackers are distributing carefully crafted phishing emails that appear to originate from “Co-pilot,” mimicking legitimate Microsoft communications.

The campaign typically begins with emails containing fake invoice notifications for Copilot services. 

“With new services like this, employees may not be aware of what types of emails they should be receiving from the provider,” reads the report. 

“They may not be accustomed to the formatting or appearance of these emails and so, it is easy to imagine a scenario where an employee uses this service for the first time and is sent this spoofed invoice for services, tricking them into clicking on a link.”

When recipients click on links embedded in these phishing emails, they are redirected to convincing replicas of Microsoft Copilot welcome pages. 

These fraudulent pages closely resemble legitimate Microsoft interfaces, with accurate branding elements and design schemes. 

However, the URLs do not belong to Microsoft domains but to unrelated websites such as “ubpages.com.” The deception continues with a login prompt that mimics Microsoft’s authentication process.

Security analysts have noted that these phishing pages typically lack “forgotten password” functionality—a common flaw in credential harvesting sites since attackers cannot facilitate genuine password resets.

Most concerning is the final stage of the attack: after victims enter their credentials, they encounter a fraudulent Microsoft Authenticator multi-factor authentication (MFA) page. 

When an employee waits for an MFA prompt, they may be waiting for the opportunity to change their passwords or carry out other tasks that the threat actor requests.

Protecting Your Organization

Organizations can defend against these emerging threats by implementing comprehensive security measures.

Microsoft’s spoof intelligence insight tool can help identify and manage spoofed senders, allowing legitimate communications while blocking potential threats.

“Over 280 billion emails are sent daily and at the same time, some reports say that 90 percent of data breaches start with a malicious email,” notes Susan Warner, vice president of marketing at Cofense.

“Phishing, sadly, works for many of the bad actors who continue to use this vector to attack.” As Microsoft continues to integrate AI capabilities across its product suite, security professionals must remain vigilant about emerging threats. 

Real-world reports already show attackers sending phishing emails claiming to charge users $360 for Microsoft Copilot services.

The intersection of AI technology and traditional phishing tactics represents a significant evolution in the threat landscape. 

By understanding these attack methods and implementing appropriate protections, organizations can mitigate risks while still benefiting from the productivity advantages that tools like Microsoft Copilot provide.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.