A sophisticated cyberattack has been uncovered, involving the first-ever malicious Microsoft Outlook add-in found in the wild. The compromised add-in, named 'AgreeTo,' was exploited to steal over 4,000 Microsoft account credentials, including passwords and credit card information. This incident highlights a significant vulnerability in how third-party add-ins are distributed and managed within trusted platforms.

Key Takeaways

• The "AgreeTo" Outlook add-in, originally a legitimate tool, was hijacked after its developer abandoned it.

• Attackers leveraged the add-in to present a fake Microsoft login page, capturing credentials and sensitive financial data.

• Over 4,000 user accounts were compromised before the malicious activity was detected.

• The attack exploits a flaw where Microsoft's approval process for add-ins does not include ongoing content monitoring.

The 'AgreeTo' Add-in Vulnerability

The "AgreeTo" add-in, designed to help users manage and share calendar availability, was initially published to the Microsoft Office Add-ins Store in late 2022. After the developer ceased updates and their associated domain expired, an attacker was able to claim the domain. This allowed them to serve malicious content through the add-in's manifest file, which is loaded dynamically each time the add-in is opened within Outlook.

How the Attack Unfolded

When users launched the compromised "AgreeTo" add-in, they were presented with a convincing fake Microsoft login page. Upon entering their credentials, the data was captured by a simple script and exfiltrated to the attacker via the Telegram Bot API. The victim was then seamlessly redirected to the legitimate Microsoft login page, often leaving them unaware that their information had already been compromised. This method bypassed traditional security measures due to its integration within the trusted Outlook environment and the add-in's existing permissions, which included the ability to read and modify emails.

Broader Implications and Recommendations

Security researchers from Koi Security, who uncovered the attack, emphasized that this incident represents a broadening of supply chain attack vectors. They noted that the core issue lies in the "approve once, trust forever" model employed by many marketplaces, where dynamic content served from external URLs is not continuously monitored after initial approval. Recommendations for Microsoft include triggering re-reviews when an add-in's URL content changes, verifying domain ownership, and implementing mechanisms to flag or delist abandoned add-ins. Users are advised to exercise caution with add-ins, enable multi-factor authentication, and organizations should consider blocking untrusted add-ins via administrative policies.

Sources

• First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials, The Hacker News.

• Malicious Microsoft Outlook Add-in Stole 4,000 Account Credentials and Credit Card Details, Cyber Press.

• AgreeTo" Outlook Add-In Hijacked to Steal 4,000+ Passwords, TechJuice.