Cybersecurity researchers have discovered that this is the first known malicious Microsoft Outlook add-in to be detected in the wild.
In this unusual supply chain attack, detailed by Koi Security, an unknown attacker claimed a domain associated with a legitimate, now-abandoned add-in to serve up a fake Microsoft login page, stealing over 4,000 credentials in the process. This activity has been codenamed “AgreeToSteal” by the cybersecurity firm.
The Outlook add-in in question is AgreeTo, which the developer touts as a way for users to connect their various calendars in one place and share their availability via email. The add-in was last updated in December 2022.
Idan Dardikman, co-founder and CTO of Koi, told Hacker News that the incident represents an expansion of supply chain attack vectors.
“This is the same type of attack we’ve seen with browser extensions, npm packages, and IDE plugins – trusted distribution channels where content can be modified after approval,” Dardikman said. “Office Add-ins are particularly concerning because of a combination of factors: They run within Outlook, handle users’ most sensitive communications, can request permission to read and modify email, and are distributed through Microsoft’s own store, where implicit trust is maintained.”
“The AgreeTo incident added another dimension. The original developers did nothing wrong. They built a legitimate product and moved on. This attack exploited the gap between a developer abandoning a project and the platform noticing it. Any marketplace that hosts remote dynamic dependencies is susceptible to this.”
The core of this attack exploits the way Office add-ins work and the fact that the content of add-ins published to the marketplace is not regularly monitored. According to Microsoft documentation, add-in developers must create an account, submit their solution to Partner Center, and then go through an approval process.
Additionally, Office Add-ins utilize manifest files to declare URLs. Its content is retrieved and served in real time from the developer’s server each time it is opened inside an iframe element within the application. However, there is nothing to prevent a malicious attacker from gaining control of an expired domain.
In the case of AgreeTo, the manifest file pointed to a URL hosted in Vercel (‘outlook-one.vercel’).[.]app”) became billable after the developer’s Vercel deployment was removed, as it essentially became abandonware around 2023. This infrastructure is still up and running as of this writing.
The attackers took advantage of this behavior by staging a phishing kit on a URL that displayed a fake Microsoft sign-in page, captured the entered password, leaked the details via the Telegram Bot API, and ultimately redirected the victim to the real Microsoft login page.
But Coy warns that the incident could have been much worse. If the add-in is configured with the “ReadWriteItem” permission, which allows the user to read and modify the user’s email, an attacker could exploit this blind spot to deploy JavaScript that surreptitiously siphons the contents of the victim’s mailbox.
This finding once again highlights the need to rescan packages and tools uploaded to marketplaces and repositories to flag malicious/suspicious activity.
Dardikman said Microsoft reviews the manifest during the initial submission stage, but once it’s signed and approved, it has no control over the actual content that is pulled live from the developer’s servers every time the add-in is opened. As a result, if you don’t continually monitor what URLs serve, you open the door to unintended security risks.
“Office add-ins are fundamentally different from traditional software,” Dardikman added. “A static code bundle is not shipped. The manifest simply declares a URL, and whatever that URL serves at that time will be executed within Outlook. In the case of AgreeTo, Microsoft signed a manifest pointing to outlook-one.vercel.app in December 2022. That same URL is now being provided to phishing kits, and the add-in is still listed in the store.”
To combat the security issues posed by this threat, Koi recommends several steps Microsoft can take.
Trigger a re-review when your add-in’s URL starts returning different content than it did at the time of review. Verify domain ownership to ensure it’s managed by the add-in developer, and flag add-ins that have changed domain infrastructure ownership. Implement a mechanism to delist or flag add-ins that have not been updated for more than a certain period of time. View the number of installs as a way to assess impact.
Hacker News has reached out to Microsoft for comment and will update the article if we hear back.
Note that this issue is not limited to Microsoft Marketplace or Office Store. Last month, Open VSX announced plans to conduct security checks on Microsoft Visual Studio Code (VS Code) extensions before they are published to open source repositories. Microsoft’s VS Code Marketplace similarly periodically bulk rescans all packages in the registry.
“The structural issue is the same for all marketplaces that host remote dynamic dependencies: approve once and trust forever,” Durdikman said. “The details vary by platform, but the fundamental gap that makes AgreeTo possible exists wherever marketplaces review manifests at the time of submission and do not monitor what services the referenced URLs actually provide afterwards.”
Source link
