Malicious Microsoft Outlook Add-in Stole 4,000 Account Credentials and Credit Card Details – Cyber Press

Attackers have revived a forgotten Microsoft Outlook add-in to phish thousands of users, grabbing Microsoft account logins, passwords, and even credit card details.
Security firm Koi AI uncovered this “zombie” attack, the first known malicious Office add-in spotted in the wild.
It exposes a key flaw: Microsoft doesn’t recheck add-in content after approval, letting hackers hijack dormant tools.
Back in 2022, a developer released “AgreeTo,” a legit meeting scheduler, on the Microsoft Office Add-in Store. Users sideloaded it into Outlook for easy calendar booking.
The dev abandoned it, letting the hosting domain (outlook-one.vercel.app on Vercel) expire.
Office add-ins aren’t downloadable apps. They’re web pages loaded in an iframe inside Outlook. They point to live URLs, which anyone can claim if abandoned.
An attacker grabbed the subdomain, instantly controlling what users saw in their sidebar no new approval needed.
Microsoft vets the add-in’s “manifest” file (XML settings) only at submission. AgreeTo’s 2022 manifest passed, granting “ReadWriteItem” permissions to read/modify emails. When hijacked, it swapped the scheduler for a fake Microsoft login page.
Users opening the add-in faced a prompt: “Sign in to continue.” Entering credentials fed data to a script that scraped emails, passwords, IPs, credit cards, and bank security questions. Stolen info routed straight to the attacker’s Telegram bot for exfiltration.
Koi AI infiltrated the bot channel, recovering data from 4,000+ victims. Attackers were testing logins live when caught. Microsoft yanked the add-in from its store, but phishing sites lingered.
No CVE yet, but this is a supply chain risk in dynamic dependencies. Add-ins evolve remotely without oversight.
This “zombie” model hits modern apps hard. Unlike static downloads, add-ins update silently. Attackers could have read inboxes or spoofed emails, but stuck to phishing.
Microsoft should add runtime URL checks, manifest re-reviews, or sandboxing. Users: Vet add-ins, use MFA, scan sidebars. Orgs: Block untrusted add-ins via admin policies.
Koi AI warns of copycats. Scan your Outlook now. This underscores supply chain hygiene: Validate dependencies forever, not just once.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Save my name, email, and website in this browser for the next time I comment.

Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: cyber.press@outlook.com
© Copyright 2024 – Cyber Press

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.