The first ever known malicious add-in bypassed a weak vetting process with a simple URL hack.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

An attacker hijacked an abandoned Outlook add-in called AgreeTo by claiming its orphaned subdomain URL, bypassing Microsoft's weak vetting process that only reviews manifests without checking actual code. The attack compromised 4,000 users' Microsoft credentials through a phishing page served from the hijacked URL. Microsoft's add-in architecture allows content to change after approval since it fetches code live from developer servers, creating a security blind spot identified as early as 2019 but never addressed until this first-known malicious add-in was discovered.

‘Dead’ Outlook add-in hijacked to phish 4,000 Microsoft Office Store users