Security researchers at Koi Security have identified what they describe as the first known malicious Microsoft Outlook add-in actively used in real-world attacks. The campaign abused Microsoft’s add-in ecosystem to steal more than 4,000 user credentials, raising concerns about how browser-style extensions and add-ins are maintained over time.
The incident involved an Outlook add-in that was originally published as a legitimate productivity tool. After the original developer stopped maintaining it, the website that powered the add-in’s functionality was left unclaimed. Attackers later took control of that web address and quietly replaced the original content with a phishing page, without modifying the add-in itself.
Because Outlook add-ins load live web content directly inside the email client, the compromised add-in continued to appear trustworthy. When users opened it, they were shown a fake Microsoft sign-in page instead of the expected interface. Any credentials entered were captured and sent to the attacker before users were redirected to Microsoft’s real login page, making the attack difficult to detect.
The research found that the stolen data extended beyond email usernames and passwords, including other sensitive information entered into the phishing forms. Activity linked to multiple phishing campaigns targeting different services suggests the operation was broader than a single isolated incident.
The findings point to a weakness in how Office add-ins are managed. While Microsoft reviews add-ins when they are first submitted to its store, the external web content they rely on is not continuously monitored. As a result, an add-in that was originally safe can later become harmful if its associated web resources are taken over.
Users should periodically review installed add-ins and remove any that are no longer actively used or supported.
Leave a Reply