Microsoft: A popular Microsoft Outlook add-in has been hijacked to try and steal user accounts - here's how to stay safe

Hackers Hijack Abandoned Outlook Add-In to Steal 4,000 Microsoft Accounts

Security researchers at Koi uncovered a sophisticated phishing campaign leveraging AgreeTo, a once-legitimate Outlook add-in for meeting scheduling. Originally published on Microsoft’s Office Add-in Store in December 2022, the tool was abandoned by its developer, allowing attackers to seize control of its URL and repurpose it into a malicious phishing kit.

When users launched the add-in, they were presented with a fake Microsoft login page designed to harvest credentials. Through the attackers’ exfiltration channel a Telegram bot API researchers confirmed the theft of over 4,000 Microsoft accounts, along with sensitive financial data, including credit card numbers and banking security answers. The campaign remained active, with threat actors testing stolen credentials to identify high-value targets for further exploitation.

Microsoft intervened by removing the add-in from its marketplace, marking the first known instance of malware on the official Microsoft Marketplace and the first malicious Outlook add-in detected in the wild. Koi’s investigation also revealed that the same group operates at least a dozen other phishing kits targeting ISPs, banks, and webmail providers, though their success rates compared to AgreeTo remain unclear.

The incident highlights the risks of abandoned software in trusted repositories, where dormant projects can be weaponized without users’ knowledge.

Source: https://www.techradar.com/pro/security/a-popular-microsoft-outlook-add-in-has-been-hijacked-to-try-and-steal-user-accounts-heres-how-to-stay-safe

Microsoft TPRM report: https://www.rankiteo.com/company/microsoftoutlooktools

"id": "mic1770928280",
"linkid": "microsoftoutlooktools",
"type": "Cyber Attack",
"date": "12/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Over 4,000',
                        'industry': 'Software',
                        'name': 'Microsoft',
                        'size': 'Large',
                        'type': 'Technology company'}],
 'attack_vector': 'Malicious Outlook add-in',
 'data_breach': {'data_exfiltration': 'Yes (via Telegram bot API)',
                 'number_of_records_exposed': 'Over 4,000',
                 'personally_identifiable_information': 'Yes (credit card '
                                                        'numbers, banking '
                                                        'security answers)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Financial data',
                                              'Personally identifiable '
                                              'information']},
 'description': 'Security researchers at Koi uncovered a sophisticated '
                'phishing campaign leveraging *AgreeTo*, a once-legitimate '
                'Outlook add-in for meeting scheduling. Originally published '
                'on Microsoft’s Office Add-in Store in December 2022, the tool '
                'was abandoned by its developer, allowing attackers to seize '
                'control of its URL and repurpose it into a malicious phishing '
                'kit. When users launched the add-in, they were presented with '
                'a fake Microsoft login page designed to harvest credentials. '
                'Through the attackers’ exfiltration channel (a Telegram bot '
                'API), researchers confirmed the theft of over 4,000 Microsoft '
                'accounts, along with sensitive financial data, including '
                'credit card numbers and banking security answers. The '
                'campaign remained active, with threat actors testing stolen '
                'credentials to identify high-value targets for further '
                'exploitation.',
 'impact': {'brand_reputation_impact': "Negative impact on Microsoft's "
                                       'marketplace trust',
            'data_compromised': 'Over 4,000 Microsoft accounts, credit card '
                                'numbers, banking security answers',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'Microsoft accounts, Outlook add-in users'},
 'initial_access_broker': {'entry_point': 'Abandoned Outlook add-in '
                                          '(*AgreeTo*)',
                           'high_value_targets': 'Yes (threat actors tested '
                                                 'stolen credentials for '
                                                 'high-value targets)'},
 'investigation_status': 'Ongoing (campaign remained active)',
 'lessons_learned': 'Risks of abandoned software in trusted repositories, '
                    "where dormant projects can be weaponized without users' "
                    'knowledge.',
 'motivation': 'Financial gain, credential harvesting',
 'post_incident_analysis': {'root_causes': 'Abandoned software in Microsoft’s '
                                           'Office Add-in Store, lack of '
                                           'monitoring for dormant projects'},
 'references': [{'source': 'Koi security researchers'}],
 'response': {'containment_measures': 'Microsoft removed the add-in from its '
                                      'marketplace',
              'third_party_assistance': 'Koi (security researchers)'},
 'title': 'Hackers Hijack Abandoned Outlook Add-In to Steal 4,000 Microsoft '
          'Accounts',
 'type': 'Phishing',
 'vulnerability_exploited': 'Abandoned software in trusted repository'}