• Outlook add-in goes rogue and steals 4,000 credentials and payment data Researchersfound a malicious Microsoft Outlook add-in which was able to steal 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. • How is it possible that the Microsoft Office Add-in Store ended listing an add-in that silently loaded a phishing kit inside Outlook’s sidebar? • A developer launched an add-in called AgreeTo, an open-source meeting scheduling tool with a Chrome extension. • It was a popular tool, but at some point, it was abandoned by its developer, its backend URL on Vercel expired, and an attacker later claimed that same URL. • That requires some explanation. • Office add-ins are essentially XML manifests that tell Outlook to load a specific URL in an iframe.
Article Summaries:
- Microsoft researchers uncovered a malicious Outlook add‑in, “AgreeTo,” that had been listed in the Office Add‑in Store while its original developer abandoned the project. The add‑in’s manifest pointed to a Vercel URL that the attacker later claimed, allowing the add‑in to load a phishing kit inside Outlook’s sidebar. With previously granted ReadWriteItem permissions, the kit captured Microsoft account credentials, credit‑card numbers, and banking security answers, amassing more than 4,000 stolen data sets. The attacker used a Telegram‑based exfiltration channel and operated a broader multi‑brand phishing campaign. Users who installed the add‑in after May 2023 are advised to uninstall it, change passwords, and review account activity.
Sources: