First Malicious Outlook Add-In Discovered by Researchers

Cybersecurity experts have identified the first malicious Microsoft Outlook add-in, dubbed "AgreeToSteal," which exploited a legitimate add-in called AgreeTo. The attack involved an unknown actor taking over a domain linked to the original add-in, creating a fake Microsoft login page, and stealing over 4,000 credentials. This incident highlights the growing trend of attacks on trusted sources like browser extensions and Office add-ins, which can access sensitive information and are often trusted by users.

The attack leveraged the way Office add-ins function, where a file points to a URL that displays content in real-time within the application. The attacker took control of a domain after the original developer's account was deleted, using it to host a fake login page. This allowed them to capture user credentials and redirect victims to the legitimate Microsoft login page. The add-in's permissions could have enabled further exploitation, such as accessing users' emails.

Koi Security, the firm that discovered the attack, emphasized the need for regular rescanning of marketplace content to detect malicious activities. They noted that while Microsoft checks add-ins upon submission, ongoing monitoring of the URLs they point to is lacking, creating security vulnerabilities. The AgreeTo add-in has since been removed from the Microsoft Marketplace, and users are advised to uninstall it and change their passwords.

This incident underscores a broader issue across digital marketplaces, where content is approved once but not continuously monitored, posing ongoing security risks. Microsoft has responded by removing the add-in and committing to enhancing their detection capabilities.

Stay secure — stay Wavasec. 🔐