Researchers have identified the first known malicious Microsoft Outlook add-in detected in the wild, named AgreeTo, which was originally a legitimate calendar integration tool last updated in December 2022. The attacker exploited the abandonment of the add-in by claiming the domain associated with its manifest URL, which is fetched live each time the add-in runs inside Outlook. This domain, hosted on Vercel, now serves a phishing kit presenting a fake Microsoft login page to steal credentials, having already compromised over 4,000 accounts. The add-in requests "ReadWriteItem" permissions, allowing it to read and modify emails, which could enable attackers to siphon mailbox contents covertly. The attack represents a new supply chain vector where dynamic content served by add-ins can be maliciously changed post-approval, circumventing Microsoft's initial manifest review process. The attacker exfiltrated credentials via the Telegram Bot API and redirected victims to the legitimate Microsoft login page to avoid suspicion. This incident underscores the risks of marketplaces approving add-ins based on static manifests without continuous monitoring of the live content they serve. Recommendations include implementing domain ownership verification, re-review triggers when content changes, delisting inactive add-ins, and displaying installation metrics to assess impact. The problem is systemic across platforms hosting remote dynamic dependencies, emphasizing the need for ongoing scrutiny beyond initial approval.

European organizations using Microsoft Outlook with add-ins from the Microsoft Store face significant risks from this attack. Credential theft can lead to unauthorized access to corporate email accounts, enabling further phishing, data exfiltration, and lateral movement within networks. The ability of the add-in to read and modify emails threatens confidentiality and integrity of sensitive communications, potentially exposing personal data, intellectual property, and strategic information. This can result in regulatory non-compliance under GDPR, financial losses, reputational damage, and operational disruption. Organizations relying heavily on Outlook for internal and external communications, especially in sectors like finance, government, and critical infrastructure, are particularly vulnerable. The stealthy nature of the attack, which does not require user interaction beyond normal add-in use, increases the likelihood of widespread compromise before detection. The supply chain aspect complicates trust assumptions, as the add-in was originally legitimate and approved by Microsoft, highlighting systemic risks in software supply chains.

European organizations should audit installed Outlook add-ins and remove any that are abandoned or from untrusted sources. Employ endpoint detection solutions capable of monitoring unusual add-in behavior, especially those with elevated permissions like ReadWriteItem. Implement multi-factor authentication (MFA) for Microsoft accounts to reduce the impact of credential theft. Monitor network traffic for suspicious connections to known malicious domains or unusual data exfiltration patterns. Advocate for Microsoft to enhance its marketplace security by enforcing domain ownership verification, continuous content scanning of add-in URLs, and automatic delisting of inactive or abandoned add-ins. Organizations should also educate users about phishing risks associated with add-ins and encourage reporting of suspicious login prompts. Deploy email security gateways with advanced phishing detection capabilities. Finally, maintain an inventory of all third-party add-ins and integrate this into vulnerability management and incident response processes to rapidly address emerging threats.