A security gap in Microsoft’s app marketplace allowed hackers to take over a seemingly inactive Outlook add-in and use it to steal thousands of user credentials. Researchers uncovered that attackers exploited an abandoned add-in to launch a large-scale phishing campaign, compromising around 4,000 Microsoft accounts. This incident highlights how weak points in the add-in submission process can be misused by cybercriminals.

How the Attack Was Made Possible

The add-in involved in the attack is called AgreeTo, a meeting scheduling tool that first appeared in 2022. At some point after its launch, the developer stopped maintaining it, leaving it effectively abandoned. Despite this, the add-in remained listed on Microsoft’s marketplace, still accessible to users. A hacker noticed that the add-in was no longer active and decided to hijack it for malicious purposes.

The breach was surprisingly simple. Developers submit add-ins to Microsoft’s store using only a basic XML manifest file. This file contains the add-in’s name, description, download URL, and permissions. No code is reviewed or checked by Microsoft at this stage. In the case of AgreeTo, the manifest linked to a subdomain hosted on Vercel, a popular development platform. The actual user interface and logic were fetched live from the developer’s server every time the add-in was used.

Exploiting an Orphaned URL

The attacker took control of the abandoned subdomain that the original manifest pointed to. They replaced the original content with a malicious phishing kit. This kit included a fake Microsoft sign-in page designed to steal passwords, along with scripts to exfiltrate data and redirect users to other malicious sites. Because the original permissions granted to the add-in allowed reading and modifying emails, the attacker could also access sensitive data.

What made this attack particularly easy was that the attacker did not need to submit anything to Microsoft or go through a review process. The add-in’s listing was already approved and signed by Microsoft. The attacker simply claimed control of the orphaned URL, and Microsoft’s infrastructure served the malicious content without suspicion. Victims’ credentials and IP addresses were automatically sent to the attacker through a simple Telegram bot, avoiding complex command-and-control systems.

Researchers from Koi Security discovered that about 4,000 victims had fallen for the phishing trap. Once identified, the security firm contacted these users to warn them about the breach. They also found that the same attacker was operating multiple phishing kits pretending to be various banks and webmail providers, stealing credit card details, PINs, security answers, and other sensitive information.

This incident shows how vulnerabilities in the add-in submission process can be exploited by bad actors. It underscores the importance of better security checks and monitoring for abandoned or outdated add-ins in app marketplaces. As more organizations rely on these tools, ensuring their integrity becomes critical to prevent large-scale data breaches.

Inspired by

• https://www.computerworld.com/article/4131595/dead-outlook-add-in-hijacked-to-phish-4000-microsoft-office-store-users.html

Sources

• koi.ai
• co.uk