CoPhish Exploit Abuses Copilot Studio to Steal OAuth Tokens and Bypass Cloud Defenses
Researchers have discovered a new phishing technique, named CoPhish, that abuses Microsoft Copilot Studio to steal OAuth tokens and hijack user accounts. The attack takes advantage of the trust users place in Microsoft domains, as malicious agents are hosted on copilotstudio[.]Microsoft[.]com and appear indistinguishable from legitimate services. Attackers create customized Copilot “agents” that redirect victims to malicious OAuth consent pages using built-in login buttons. Once users grant permissions, the attacker-controlled agent exfiltrates OAuth tokens directly from Microsoft’s infrastructure, enabling unauthorized access to emails, files, and collaboration tools. Because the exfiltration occurs server-side, traditional network monitoring tools may not detect the compromise, making this method particularly stealthy and dangerous for enterprise environments. CoPhish primarily targets users in Microsoft Entra ID tenants who can create or approve applications. Unprivileged users can be tricked into authorizing internal malicious apps, while administrators with broad consent privileges are prime targets due to their elevated access. Attackers can configure these malicious agents to request high-impact permissions, including Mail[.]ReadWrite and Notes[.]ReadWrite, enabling complete control over sensitive organizational data. Security researchers urge organizations to implement stricter custom application consent policies, disable default app registration for all users, and continuously monitor Entra ID audit logs for suspicious consent or BotCreate activities. This incident highlights that even trusted Microsoft-hosted services can be repurposed as attack platforms, underscoring the need for proactive governance of emerging AI-integrated tools such as Copilot Studio.
Atlas Browser Flaw Exploited via Fake URLs to Bypass AI Safety Controls
Researchers at NeuralTrust have disclosed a critical flaw in OpenAI’s Atlas browser that allows attackers to disguise malicious instructions as harmless-looking URLs. The vulnerability, dubbed an omnibox prompt injection, arises from how Atlas interprets user input, deciding whether it’s a URL to visit or a natural-language command for the AI agent. Attackers can craft malformed URLs that appear legitimate but fail validation, causing Atlas to interpret them as user intent rather than navigation requests. Once executed, the embedded instructions can override user intent, perform unauthorized actions, or redirect to phishing pages. This design flaw effectively turns Atlas’s combined address/search bar into a jailbreak vector, where the lack of strict separation between trusted and untrusted input enables exploitation. NeuralTrust Security Research identified and publicly disclosed the vulnerability on October 24, 2025. In proof-of-concept tests, attackers demonstrated “copy-link traps” that trick users into pasting manipulated URLs into the omnibox—leading to phishing pages or destructive commands such as deleting files from Google Drive via authenticated sessions. Because Atlas treats omnibox input as trusted user commands, these injected prompts bypass many of the platform’s safety and permission layers. NeuralTrust warns that the same-origin protections of traditional web browsers do not apply to agentic systems such as Atlas, which execute commands on behalf of users. The researchers recommend implementing strict URL parsing, forcing users to choose between navigation and prompt modes, and treating all omnibox prompts as untrusted by default. They also urge adopting provenance tagging, instruction stripping, and red-team testing for malformed input to prevent future abuses. This incident underscores the growing risks of agentic browsers, where AI-driven autonomy can be exploited to weaponize trust itself.
Update: Qilin Ransomware Abuses Native Windows Tools for Covert Data Discovery and Extortion
Qilin ransomware remains a dominant force in the global threat landscape throughout 2025, sustaining a relentless pace of over 40 new victims per month across the manufacturing and technical services sectors. Initially emerging in 2022, the group’s double-extortion model has evolved into a high-volume, global operation, with the U.S., Canada, and several European nations most affected. Recent analysis revealed a novel twist in Qilin’s toolkit: the abuse of legitimate Windows applications, including mspaint[.]exe and notepad[.]exe, to review sensitive data manually. This technique helps operators evade detection, as security tools rarely flag trusted binaries, allowing attackers to assess valuable content and plan exfiltration. Evidence suggests ties to Russian-speaking regions, though false flags remain possible, and most breaches begin with compromised VPN credentials lacking multi-factor authentication. Qilin’s operations combine stealth and persistence, often leveraging native tools for reconnaissance and lateral movement, followed by credential theft via Mimikatz and open-source utilities. The group’s dual-encryptor approach, spreading one payload laterally via PsExec and another to encrypt network shares, demonstrates methodical precision. Data is typically archived with WinRAR and exfiltrated using Cyberduck to cloud services such as Backblaze, blending seamlessly with legitimate traffic. Qilin’s ability to exploit everyday Windows utilities underscores how sophisticated ransomware actors are innovating beyond traditional hacking tools. Organizations are urged to enforce MFA on all remote access points, restrict administrative privileges, and monitor unusual use of native Windows processes to counter this evolving threat.
RedTiger Infostealer Hijacks Discord Accounts and Steals Payment Data
Hackers are leveraging the open-source red-teaming framework RedTiger to create an infostealer targeting Discord users and harvesting sensitive data, including account credentials, payment information, and cryptocurrency wallet contents. Initially designed for penetration testing, RedTiger’s freely available Python code has been repurposed into weaponized binaries compiled with PyInstaller and disguised as gaming or Discord utilities. Once executed, the malware scours local systems for Discord and browser database files, extracting tokens, saved passwords, cookies, and credit card details. It injects malicious JavaScript into Discord’s core files to intercept login attempts, purchases, and password changes, effectively granting attackers full account control. Data is packaged and exfiltrated to GoFile, with download links sent via Discord webhooks to maintain anonymity and streamline the attacker's access. The RedTiger-based stealer exhibits advanced evasion features, including sandbox detection, debugger termination, and forensic disruption through process and file spamming. According to Netskope, the campaign primarily targets French Discord users but may also reach broader gaming and social media communities through distribution on Discord channels, malicious download sites, and YouTube. The malware’s use of legitimate open-source tooling blurs the line between red-teaming and cybercrime, complicating attribution and mitigation. Users are advised to download software only from verified sources, revoke compromised tokens, and reinstall Discord from official channels. Enabling multi-factor authentication and clearing stored browser credentials remain crucial defenses against account takeover and data theft.
