Microsoft Outlook Add-In Hijacked to Steal Thousands of Credentials and Payment Data
Security researchers at Koi Security uncovered a novel attack leveraging a dormant Microsoft Outlook add-in to harvest over 4,000 login credentials, credit card numbers, and banking security answers. The incident marks the first known malicious Office add-in discovered in the wild, exposing a critical flaw in Microsoft’s third-party tool distribution.
The attack centered on AgreeTo, a legitimate meeting-scheduling add-in published to the Microsoft Office Add-in Store in 2022. After the developer abandoned the project and its hosting domain expired, the subdomain (outlook-one.vercel.app) became available for registration. An attacker claimed the domain and replaced the original tool with a fake Microsoft sign-in page, which loaded inside Outlook via an iframe for all existing users.
Microsoft’s security review process only validates an add-in’s manifest file upon initial submission, meaning the malicious content change went undetected. The phishing page captured credentials and transmitted them to the attacker via a Telegram bot. Researchers accessed the exfiltration channel, recovering stolen data including Microsoft account logins, payment details, and IP addresses while the attackers were actively testing the credentials.
Though Microsoft removed the add-in from its store, the phishing infrastructure remained operational outside it. The AgreeTo manifest had ReadWriteItem permissions, granting potential access to read or modify users’ emails, though the attackers only deployed a basic phishing scheme. The incident underscores a broader vulnerability in software supply chains: Office add-ins function as remote dynamic dependencies, allowing content to change without Microsoft’s oversight.
Source: https://gbhackers.com/microsoft-outlook-add-in-stolen-4000-accounts/
Email Signature Management for Microsoft 365 / Outlook / Entra ID | by Xink cybersecurity rating report: https://www.rankiteo.com/company/microsoft-outlook-365
"id": "MIC1770890241",
"linkid": "microsoft-outlook-365",
"type": "Cyber Attack",
"date": "1/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of the AgreeTo Outlook '
'add-in',
'industry': 'Software, Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Malicious Office Add-in (Supply Chain Attack)',
'data_breach': {'data_exfiltration': 'Yes (transmitted via Telegram bot)',
'number_of_records_exposed': '4,000+',
'personally_identifiable_information': 'Yes (login '
'credentials, IP '
'addresses)',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Login credentials',
'Credit card numbers',
'Banking security answers',
'IP addresses']},
'description': 'Security researchers at Koi Security uncovered a novel attack '
'leveraging a dormant Microsoft Outlook add-in to harvest over '
'4,000 login credentials, credit card numbers, and banking '
'security answers. The incident marks the first known '
'malicious Office add-in discovered in the wild, exposing a '
'critical flaw in Microsoft’s third-party tool distribution.',
'impact': {'brand_reputation_impact': 'Critical flaw in Microsoft’s '
'third-party tool distribution exposed',
'data_compromised': '4,000+ login credentials, credit card '
'numbers, banking security answers, IP '
'addresses',
'identity_theft_risk': 'High (PII and payment data stolen)',
'operational_impact': 'Potential unauthorized access to emails '
'(ReadWriteItem permissions)',
'payment_information_risk': 'High (credit card numbers and banking '
'security answers stolen)',
'systems_affected': 'Microsoft Outlook with AgreeTo add-in '
'installed'},
'initial_access_broker': {'entry_point': 'Expired domain takeover '
'(outlook-one.vercel.app)'},
'investigation_status': 'Ongoing (researchers accessed exfiltration channel)',
'lessons_learned': 'Office add-ins function as remote dynamic dependencies, '
'allowing content to change without oversight. Microsoft’s '
'security review process only validates manifests upon '
'initial submission, leaving room for post-deployment '
'tampering.',
'motivation': 'Financial gain (credential and payment data theft)',
'post_incident_analysis': {'corrective_actions': ['Microsoft removed the '
'malicious add-in from its '
'store',
'Researchers recovered '
'stolen data from the '
'exfiltration channel'],
'root_causes': ['Lack of ongoing security '
'validation for Office add-ins',
'Expired domain takeover',
'Insufficient manifest validation '
'post-deployment']},
'recommendations': ['Implement ongoing security validation for third-party '
'add-ins',
'Monitor for expired domains associated with add-ins',
'Restrict add-in permissions to least privilege',
'Enhance detection of phishing pages within add-ins'],
'references': [{'source': 'Koi Security'}],
'response': {'containment_measures': 'Microsoft removed the add-in from its '
'store',
'third_party_assistance': 'Koi Security (researchers)'},
'title': 'Microsoft Outlook Add-In Hijacked to Steal Thousands of Credentials '
'and Payment Data',
'type': 'Phishing, Credential Theft, Data Exfiltration',
'vulnerability_exploited': 'Expired domain takeover, lack of ongoing security '
'validation for Office add-ins'}