First Malicious Outlook Add-in Found Stealing 4,000+ Microsoft Credentials

Cybersecurity researchers have discovered what they say is the first malicious Microsoft Outlook add-in found in the wild.

In this unusual supply chain attack described by Koi Security, an unknown attacker searched for a domain associated with a legitimate add-on left to use a fake Microsoft login page, stealing more than 4,000 credentials in the process. The function is named in code AgreeToSteal is a cybersecurity company.

The Outlook add-in in question is AgreeTo, advertised by its developer as a way for users to connect different calendars in one place and share their availability via email. The supplement was last updated in December 2022.

Idan Dardikman, founder and CTO of Koi, told Hacker News that this incident represents the expansion of attack vectors.

“This is the same attack class we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where content can change after approval,” Dardikman said. “What makes Office add-ins particularly impactful is a combination of factors: they work within Outlook, where users manage very sensitive communications, they can request permissions to read and modify emails, and they are distributed through the Microsoft store, which has full trust.”

“The AgreeTo case adds another dimension: the original developer didn’t do anything wrong. They built a legitimate product and moved on. The attack exploited the gap between the developer leaving the project and the platform noticing. The entire marketplace that hosts remote dependencies can be affected by this.”

Basically, the attack uses the way Office add-ins work and the lack of periodic content monitoring of add-ins published in the Marketplace. According to Microsoft’s documentation, add-on developers are required to create an account and submit their solution to the Partner Center, following which it is subject to an approval process.

In addition, Office add-ins use a manifest file that declares a URL, the content of which is downloaded and rendered in real time from the developer’s server every time it is opened within an iframe object within the application. However, there is nothing stopping a bad actor from taking control of an outdated domain.

In the case of AgreeTo, the manifest file points to a URL hosted on Vercel (“outlook-one.vercel[.]app”), which was a claim after the developer’s Vercel deployment was removed due to its eventual abandonment sometime around 2023. The infrastructure is still live as of this writing.

The attacker used this opportunity to create a phishing kit on that URL that displayed a fake Microsoft login page, captured the passwords entered, extracted information via the Telegram Bot API, and finally redirected the victim to the real Microsoft login page.

But Koi warns that the incident could be worse. Given that the add-on is configured with “ReadWriteItem” permissions – which allow it to read and modify the user’s emails – a threat actor could exploit this blind spot to execute JavaScript that could secretly extract the contents of the victim’s mailbox.

The findings also highlight the need to re-scan packaged and uploaded tools in marketplaces and repositories to flag malicious/suspicious activity.

Dardikman said that while Microsoft updates the manifest during the initial submission phase, there is no control over the actual content that is returned live to the developer’s server every time an add-on is opened, once signed and accepted. As a result, the absence of continuous monitoring of what the URL provides opens the door to unintended security risks.

“Office add-ins are very different from traditional software,” added Dardikman. “They don’t send a bunch of static code. The manifest just exposes the URL, and whatever that URL is running at any given time is what’s running inside Outlook. In the case of AgreeTo, Microsoft signed the manifest in December 2022, pointing to outlook-one.vercel.app. That same URL is now running a phishing kit, and the add-in is still listed in the store.”

To address the security issues posed by the threat, Koi recommends several steps Microsoft can take –

• Trigger a refresh when the add-on URL starts returning content that is different from what it was during the refresh.
• Verify domain ownership to ensure it is owned by the developer adding it, and mark additions when the domain’s infrastructure has changed hands.
• Use the unlisting or flagging method for additions that have not been updated for more than a certain period of time.
• Display installation is calculated as an impact test.

Hacker News has reached out to Microsoft for comment, and we’ll update the story when we hear back.

It is worth noting that the problem is not limited to the Microsoft Marketplace or the Office Store. Last month, Open VSX announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open source repository. Microsoft’s VS Code Marketplace, similarly, performs periodic batch rescans of all packages in the registry.

“The structural problem is the same in all markets that handle remote dependencies: enable once, trust forever,” Dardikman said. “Definitions vary by platform, but the fundamental gap that enabled AgreeTo exists wherever the marketplace updates the manifest on submission without monitoring what the referenced URLs are serving afterwards.”