- Abandoned Outlook add-in AgreeTo hijacked into phishing kit stealing Microsoft accounts
- Attackers stole 4,000 accounts, credit card data, and banking security answers
- Microsoft removed add-in; users urged to reset passwords and monitor financial activity
Hackers took over a legitimate, but abandoned, add-in project for Microsoft Outlook and turned it into a full-blown phishing kit, experts have warned.
Security researchers Koi said they discovered AgreeTo, an Outlook add-on meeting scheduler with a relatively large user base on the email provider.
This scheduler was developed by an independent researcher and landed on the Microsoft Office Add-in Store in December 2022, but has since been abandoned, with the URL which pointed to the content that gets loaded into Outlook was picked up by the malicious actor. They used it to plant a phishing kit, so that when a person opens up the add-in, they are presented with a fake Microsoft login page.
Microsoft steps in
Koi’s researchers managed to access the attacker’s exfiltration channel (which used a Telegram bot API) and discovered that more than 4,000 Microsoft accounts were stolen. To make matters even worse, the threat actors also obtained people’s credit card numbers and banking security answers, which is more than enough information to make fraudulent wire transfers.
They also found that this was an active campaign, with the miscreants testing stolen credentials to see which work, and which would be valuable going forward.
Microsoft was alerted, and the company has now removed the add-in from its repository.
Koi also said that whoever is behind this attack runs “at least a dozen” other phishing kits. These target internet service providers, banks, and webmail providers, but we don’t know how successful they are, compared to the Outlook AgreeTo one.
What we do know is that this is the first malware to be found on the official Microsoft Marketplace, and the first malicious Outlook add-in to be detected in the wild, BleepingComputer said.
Users are advised to remove the add-in from their Outlook instances without hesitation and reset all of their passwords. Keeping tabs on banking statements for any suspicious transactions would also be a good decision.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/TLZcsEGFPY2WCSSbjPXEqQ-2560-80.jpg
Source link
