The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials.
Originally a legitimate meeting scheduling tool for Outlook users, the module was developed by an independent publisher and has been on the Microsoft Office Add-in Store since December 2022.
Office add-ins are just URLs pointing to content loaded into Microsoft products from the developer's server. In the case of AgreeTo, the developer used a Vercel-hosted URL (outlook-one.vercel.app) but abandoned the project, despite the userbase it formed.
However, the add-in continued to be listed on Microsoft's store, and a threat actor claimed its orphaned URL to plant a phishing kit.
AgreeTo add-in on Microsoft Marketplace
Source: Koi Security
According to researchers at supply-chain security company Koi say that the threat actor taking over the project deployed a fake Microsoft sign-in page, a password collection page, an exfiltration script, and a redirect.
It is worth noting that once an add-in is in the Microsoft store, there is no further verification process. When submitting a module, Microsoft reviews the manifest file and signs it for approval.
AgreeTo had already been reviewed and approved, and loaded all the resources - user interface and everything the user interacts with, from the developer's server, now under the control of the threat actor.
AgreeTo manifest
... continue reading