1st malicious Outlook add-in ‘AgreeToSteal’ discovered, over 4,000 credentials stolen

The first known malicious Microsoft Outlook add-in has been discovered in the wild, marking a new frontier in supply chain attacks. An unknown attacker claimed the domain of a legitimate, abandoned add-in and used it to host a fake Microsoft login page, successfully stealing over 4,000 user credentials, Koi Security discovered. This activity, codenamed AgreeToSteal, highlights a weakness in how add-ins are distributed and monitored, according to a recent report by The Hacker News.

The attack targeted the AgreeTo add-in, which was designed to consolidate calendar information. The attacker exploited the fact that the original developer had abandoned the project, allowing them to claim the associated domain. This domain then served a phishing kit that mimicked a Microsoft sign-in page. Users who entered their credentials had them exfiltrated via the Telegram Bot API. Researchers noted that the add-in possessed "ReadWriteItem" permissions, which could have allowed for even more severe data theft, such as covertly siphoning email contents. This incident demonstrates a broadening of supply chain attack vectors, extending into trusted software distribution channels like Microsoft's own store.

The AgreeToSteal incident underscores the need for continuous monitoring of add-ins and other software components hosted on marketplaces. The current model, where add-ins are approved once but their dynamic content is not regularly re-evaluated, creates a significant security gap. Recommendations for Microsoft from Koi Security include re-reviewing add-ins when their content changes, verifying domain ownership, and flagging or delisting unmaintained add-ins. This vulnerability is not unique to Microsoft's ecosystem and affects any platform relying on remote dynamic dependencies, highlighting a systemic issue in software supply chain security.

Source: The Hacker News