Cybersecurity researchers have found what they stated is the primary identified malicious Microsoft Outlook add-in detected within the wild.
On this uncommon provide chain assault detailed by Koi Safety, an unknown attacker claimed the area related to a now-abandoned official add-in to serve a pretend Microsoft login web page, stealing over 4,000 credentials within the course of. The exercise has been codenamed AgreeToSteal by the cybersecurity firm.
The Outlook add-in in query is AgreeTo, which is marketed by its developer as a approach for customers to attach completely different calendars in a single place and share their availability by way of e mail. The add-in was final up to date in December 2022.
Idan Dardikman, co-founder and CTO of Koi, advised The Hacker Information that the incident represents a broadening of provide chain assault vectors.
“This is identical class of assault we have seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel the place the content material can change after approval,” Dardikman stated. “What makes Workplace add-ins significantly regarding is the mixture of things: they run inside Outlook, the place customers deal with their most delicate communications, they will request permissions to learn and modify emails, they usually’re distributed by way of Microsoft’s personal retailer, which carries implicit belief.”
“The AgreeTo case provides one other dimension: the unique developer did nothing mistaken. They constructed a official product and moved on. The assault exploited the hole between when a developer abandons a undertaking and when the platform notices. Each market that hosts distant dynamic dependencies is prone to this.”
At its core, the assault exploits how Workplace add-ins work and the shortage of periodic content material monitoring of add-ins revealed to the Market. In keeping with Microsoft’s documentation, add-in builders are required to create an account and submit their answer to the Accomplice Middle, following which it’s subjected to an approval course of.
What’s extra, Workplace add-ins make use of a manifest file that declares a URL, the contents of that are fetched and served in real-time from the developer’s server each time it is opened inside an iframe factor inside the appliance. Nevertheless, there’s nothing stopping a nasty actor from taking management of an expired area.
Within the case of AgreeTo, the manifest file pointed to a URL hosted on Vercel (“outlook-one.vercel[.]app”), which turned claimable after the developer’s Vercel deployment was deleted on account of it primarily changing into abandonware someday round 2023.
The attacker took benefit of this habits to stage a phishing equipment on that URL that displayed a pretend Microsoft sign-in web page, capturing entered passwords, exfiltrating the main points by way of the Telegram Bot API, and ultimately redirecting the sufferer to the precise Microsoft login web page. The infrastructure continues to be dwell as of writing.
However Koi warns that the incident may have been worse. Provided that the add-in is configured with “ReadWriteItem” permissions – which permits it to learn and modify the consumer’s emails – a menace actor may have abused this blind spot to deploy JavaScript that may covertly siphon a sufferer’s mailbox contents.
The findings as soon as once more carry to fore the necessity for rescanning packaged and instruments uploaded to marketplaces and repositories to flag malicious/suspicious exercise.
Dardikman stated whereas Microsoft evaluations the manifest through the preliminary submission part, there is no such thing as a management over the precise content material that’s retrieved dwell from the developer’s server as soon as it is signed and authorized. In consequence, the absence of continued monitoring of what the URL serves opens the door to unintended safety dangers each time an unsuspecting consumer opens the add-in.
“Workplace add-ins are essentially completely different from conventional software program,” Dardikman added. “They do not ship a static code bundle. The manifest merely declares a URL, and no matter that URL serves at any given second is what runs inside Outlook. In AgreeTo’s case, Microsoft signed the manifest in December 2022, pointing to outlook-one.vercel.app. That very same URL is now serving a phishing equipment, and the add-in continues to be listed within the retailer.”
To counter the safety points posed by the menace, Koi recommends a variety of steps that Microsoft can take –
- Set off a re-review when an add-in’s URL begins returning completely different content material from what it was throughout overview.
- Confirm possession of the area to make sure that it is managed by the add-in developer, and flag add-ins the place the area infrastructure has modified fingers.
- Implement a mechanism for delisting or flagging add-ins that haven’t been up to date past a sure time interval.
- Show set up counts as a technique to assess impression.
It bears noting that the issue just isn’t restricted to Microsoft Market or the Workplace Retailer alone. Final month, Open VSX introduced plans to implement safety checks earlier than Microsoft Visible Studio Code (VS Code) extensions are revealed to the open-source repository. Microsoft’s VS Code Market, equally, does periodic bulk rescanning of all packages within the registry.
“The structural downside is identical throughout all marketplaces that host distant dynamic dependencies: approve as soon as, belief ceaselessly,” Dardikman stated. “The specifics fluctuate by platform, however the elementary hole that enabled AgreeTo exists anyplace a market evaluations a manifest at submission with out monitoring what the referenced URLs really serve afterward.”
Replace
As of February 12, 2026, the AgreeTo add-in is now not accessible from Microsoft Market. Customers who’re nonetheless utilizing AgreeTo are suggested to take away it as quickly as doable, and to reset their Microsoft account passwords out of an abundance of warning.
“We’ve eliminated the add-in from our retailer, and have taken extra steps to guard probably impacted clients,” a Microsoft spokesperson advised The Hacker Information by way of e mail. “We instantly take motion once we detect malicious exercise in our market and can proceed to boost our potential to proactively detect these behaviors.”
(The story was up to date after publication to incorporate a response from Microsoft.)
