""This is the same class of attack we've seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval," Dardikman said. "What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they're distributed through Microsoft's own store, which carries implicit trust.""
""The AgreeTo case adds another dimension: the original developer did nothing wrong. They built a legitimate product and moved on. The attack exploited the gap between when a developer abandons a project and when the platform notices. Every marketplace that hosts remote dynamic dependencies is susceptible to this. At its core, the attack exploits how Office add-ins work and the lack of periodic content monitoring of add-ins published to the Marketplace.""
A malicious Microsoft Outlook add-in hijacked an abandoned add-in's domain to serve a fake Microsoft login page and stole over 4,000 user credentials. The compromised add-in, AgreeTo, was last updated in December 2022 and aimed to synchronize calendars and share availability via email. The operation was codenamed AgreeToSteal. The attack exploited how Office add-ins load remote content and the absence of periodic content monitoring in the Microsoft Marketplace, creating a window when an abandoned project can be taken over. The incident expands supply chain risk to Office add-ins, similar to browser extensions, npm packages, and IDE plugins.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]