A technical analysis by Koi Security found that an abandoned Outlook add-in listed in Microsoft’s app marketplace was hijacked to phish credentials from about 4,000 Microsoft account users.
KEY FACTS
- Incident Hijacked abandoned Outlook add-in used to host phishing pages
- Victims About 4,000 Microsoft account credentials stolen
- Attack vector Orphaned subdomain linked in the original manifest
- Mitigation AgreeTo listing removed from Microsoft Marketplace on February 12
The add-in, named AgreeTo, first appeared in 2022 and was later abandoned by its developer while the manifest remained listed in the marketplace.
The manifest pointed to a subdomain hosted on a development platform where the add-in’s user interface and logic are fetched live each time the add-in opens. The attacker claimed the orphaned subdomain and replaced the hosted content with a phishing kit.
The manifest granted permissions to read and modify email. The phishing kit included a fake Microsoft sign in page, an exfiltration script and an automated Telegram-based data collection mechanism.
The campaign captured credentials and other data from about 4,000 victims. The attacker also operated multiple phishing kits impersonating banks and webmail providers. Users of AgreeTo are advised to remove the add-in and reset Microsoft account passwords.
WHY IT MATTERS
The incident shows that a marketplace model that serves live content from developer servers can turn an otherwise approved add-in into a persistent phishing threat. Users should remove unused add-ins and reset credentials when a compromise is suspected.