- Abandoned Outlook add-in AgreeTo hijacked in phishing kit that steals Microsoft accounts
- Attackers stole 4,000 accounts, credit card data and bank security answers
- Microsoft removed the add-on; users are encouraged to reset passwords and monitor financial activity
Hackers took over a legitimate but abandoned Microsoft Outlook add-in project and turned it into a full-fledged phishing kit, experts have warned.
Security researchers Koi said they discovered AgreeTo, a meeting scheduling Outlook add-in with a relatively large user base on the email provider.
This scheduler was developed by an independent researcher and landed on the Microsoft Office Add-in Store in December 2022, but has since been abandoned, with the URL pointing to the content being loaded into Outlook picked up by the malicious actor. They used it to plant a phishing kit so that when a person opens the add-on, they are presented with a fake Microsoft login page.
Microsoft steps in
Koi’s researchers managed to access the attacker’s exfiltration channel (which used a Telegram bot API) and discovered that more than 4,000 Microsoft accounts were stolen. To make matters worse, the threat actors also obtained people’s credit card numbers and bank security answers, which is more than enough information to make fraudulent wire transfers.
They also found that this was an active campaign where the attackers were testing stolen credentials to see which worked and which would be valuable going forward.
Microsoft was alerted and the company has now removed the add-on from its repository.
Koi also said whoever is behind this attack is running “at least a dozen” other phishing kits. These are aimed at ISPs, banks and webmail providers, but we don’t know how successful they are compared to Outlook AgreeTo.
What we do know is that this is the first malware found on the official Microsoft Marketplace and the first malicious Outlook add-in to be discovered in the wild, Bleeping Computer said.
Users are advised to remove the add-in from their Outlook instances without hesitation and reset all their passwords. Keeping an eye on bank statements for suspicious transactions would also be a good decision.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
