A blind spot in Microsoft’s app and add-in marketplace security allowed an eagle-eyed hacker to hijack an abandoned Outlook add-in to carry out phishing attacks that compromised 4,000 users, researchers have discovered.
The app in question, AgreeTo, is, or was, a meeting scheduling tool that first appeared in 2022 but was abandoned at some point after that by its developer. Despite this, the add-in continued to be listed on Microsoft’s site.
A hacker noticed the change in its status and hijacked the dead add-in and its 4.71-star rating to conduct a phishing campaign that the company which uncovered the attack, plug-in security company Koi Security, later discovered had successfully stolen thousands of Microsoft account credentials.
Was it a clever takeover by a sophisticated attacker? In fact, according to Koi Security, the hijack was easy, thanks to weaknesses in the process through which developers submit add-ins to Microsoft’s marketplace.
Submitting an add-in to Microsoft merely involves sending a simple XML manifest that lists the add-in’s name and description, the URL from which it is downloaded, and any permissions it needs.
No code is uploaded for assessment. AgreeTo’s manifest simply linked to a subdomain URL, outlook-one.vercel.app, hosted on the Vercel development platform, from which users download the software.
“Microsoft reviews the manifest, signs it, and lists the add-in in their store. But the actual content – the UI, the logic, everything the user interacts with – is fetched live from the developer’s server every time the add-in opens,” said Koi Security’s researchers.
Orphaned URL
By grabbing the abandoned subdomain, the attacker gained control of whatever the URL in the original manifest pointed to. This content was replaced with a new URL pointing to a phishing kit comprising a fake Microsoft sign-in page for password collection, an exfiltration script, and a redirect. The original manifest also granted the attacker permission to read and modify emails.
“They didn’t submit anything to Microsoft. They weren’t required to pass any review. They didn’t create a store listing. The listing already existed – Microsoft-reviewed, Microsoft-signed, Microsoft-distributed. The attacker just claimed an orphaned URL, and Microsoft’s infrastructure did the rest,” said Koi Security.
Phished credentials and victim IP addresses were automatically sent to the attacker via a simple Telegram bot, without the need for complex command & control, Koi Security said.
The researchers were able to get inside this infrastructure, discovering that 4,000 victims had fallen into the attacker’s phishing trap; all were later contacted by Koi Security to warn that their credentials had been compromised.
The same attacker was found to be operating 12 different phishing kits impersonating a variety of banks and webmail providers, Koi Security added. Data stolen from these sites included credit card numbers, CVVs, PINs, and banking security answers used by recipients to receive payments made via the Interac e-Transfer system, as well as password credentials.
The weakness revealed by the AgreeTo hijack is Microsoft’s add-in delivery architecture; it just distributes a simple, and potentially unreliable, URL. Because of this, Koi Security pointed out, “an add-in that’s clean on Monday can serve a phishing page on Tuesday – or, as in this case, years later. Microsoft reviews the manifest at submission, but the actual content can change at any time without further review.”
Ironically, the weakness was identified as long ago as 2019 by another security company, MDSec. AgreeTo is believed to be the first malicious Outlook add-in ever discovered on the Microsoft Marketplace, which might explain why deeper URL checking wasn’t implemented after this research.
As of February 12, the AgreeTo add-in is no longer available from Microsoft Marketplace. Anyone still using AgreeTo is advised to remove it as soon as possible, and to reset their Microsoft account passwords.
A separate AgreeTo extension for Chrome stopped working in 2024; Google removed it in February 2025.
This article originally appeared on Computerworld.
No Responses