‘Evil’ Tokens Explained, Purview DLP Locks Down Copilot, and Autonomous AI Agents Are Coming to Microsoft 365
This Week in IT
LISTEN ON:
This Week in IT, hackers have a new trick that uses an Oauth 2.0 login process to slip into accounts, no password needed. Meanwhile, Microsoft is locking down its Copilot AI with fresh controls to keep your company’s data under wraps. And just when you’re getting comfortable with Copilot, Microsoft’s already onto the next frontier: autonomous AI agents that won’t wait for your commands but handle your tasks for you, from start to finish.
EvilTokens: MFA without the password – A new phishing‑as‑a‑service kit exploits Microsoft’s Oauth 2.0 device code login flow, allowing attackers to steal access tokens even when MFA is used, shifting the attack surface from passwords to token trust.
Microsoft tightens Copilot governance – Purview DLP is expanding to Copilot, giving organizations new controls over AI prompts, outputs, overshared files, and visibility into adoption, risk, and usage patterns.
Autonomous AI agents are coming – Microsoft is exploring long‑running, self‑directed AI agents (codenamed OpenClaw) that can complete tasks without prompts, raising big questions about security, control, and trust in Microsoft 365.