By rssfeeds-admin 
Security firm Koi AI uncovered this “zombie” attack, the first known malicious Office add-in spotted in the wild.
It exposes a key flaw: Microsoft doesn’t recheck add-in content after approval, letting hackers hijack dormant tools.
The Dormant “AgreeTo” Add-in Awakens
Back in 2022, a developer released “AgreeTo,” a legit meeting scheduler, on the Microsoft Office Add-in Store. Users sideloaded it into Outlook for easy calendar booking.
The dev abandoned it, letting the hosting domain (outlook-one.vercel.app on Vercel) expire.
Office add-ins aren’t downloadable apps. They’re web pages loaded in an iframe inside Outlook. They point to live URLs, which anyone can claim if abandoned.
An attacker grabbed the subdomain, instantly controlling what users saw in their sidebar no new approval needed.
Microsoft vets the add-in’s “manifest” file (XML settings) only at submission. AgreeTo’s 2022 manifest passed, granting “ReadWriteItem” permissions to read/modify emails. When hijacked, it swapped the scheduler for a fake Microsoft login page.
Users opening the add-in faced a prompt: “Sign in to continue.” Entering credentials fed data to a script that scraped emails, passwords, IPs, credit cards, and bank security questions. Stolen info routed straight to the attacker’s Telegram bot for exfiltration.
Koi AI infiltrated the bot channel, recovering data from 4,000+ victims. Attackers were testing logins live when caught. Microsoft yanked the add-in from its store, but phishing sites lingered.
No CVE yet, but this is a supply chain risk in dynamic dependencies. Add-ins evolve remotely without oversight.
This “zombie” model hits modern apps hard. Unlike static downloads, add-ins update silently. Attackers could have read inboxes or spoofed emails, but stuck to phishing.
Microsoft should add runtime URL checks, manifest re-reviews, or sandboxing. Users: Vet add-ins, use MFA, scan sidebars. Orgs: Block untrusted add-ins via admin policies.
Koi AI warns of copycats. Scan your Outlook now. This underscores supply chain hygiene: Validate dependencies forever, not just once.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Malicious Microsoft Outlook Add-in Stole 4,000 Account Credentials and Credit Card Details appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.