cybersecurity researchers have identified the first known malicious Microsoft Outlook add-in actively used in attacks, a novel supply chain compromise that has resulted in the theft of more than 4,000 user credentials. The discovery, detailed by the security firm Koi Security, involves an attacker hijacking the domain of a legitimate, abandoned add-in to deploy a fake Microsoft login page, directly targeting users of the popular email client worldwide. This incident highlights a significant escalation in the methods used to compromise business and personal email accounts.

Mechanics of the Attack

The attack centered on a once-legitimate Microsoft Outlook add-in that had fallen out of use. An unknown threat actor seized control of the internet domain associated with the add-in’s backend infrastructure. When users with the add-in still installed launched Microsoft Outlook, the add-in would connect to this now attacker-controlled domain.

Instead of providing its intended functionality, the compromised add-in served a sophisticated phishing page designed to mimic an official Microsoft login prompt. This page captured users’ usernames and passwords as they attempted to authenticate. The stolen credentials were then transmitted to servers operated by the attackers.

Scale and Discovery

Koi Security reported that the malicious operation successfully harvested over 4,000 unique Microsoft account credentials before being detected and disrupted. The security firm’s researchers identified the campaign through ongoing threat intelligence gathering and analysis of suspicious network traffic originating from the hijacked domain.

The attack represents a concerning evolution in phishing techniques. Unlike traditional email-based phishing, this method exploited trusted software already installed within the victim’s environment, making the fraudulent login request appear highly credible and bypassing many standard email security filters.

Broader Implications for Software Supply Chains

This incident is categorized as a supply chain attack, where malicious actors compromise a trusted component to infiltrate a wider user base. By targeting a neglected but still-installed add-in, the attackers leveraged an existing trust relationship between the software and the user.

Security experts note that this tactic poses a particular challenge for organizations. It underscores the risk posed by third-party integrations and extensions that may not be actively maintained, yet retain extensive permissions within critical applications like email clients.

The discovery of a malicious Outlook add-in in active use sets a new precedent. It signals to defenders that the attack surface for widely used productivity software extends beyond the core application to include all connected plugins and extensions.

Response and Mitigation

Following the disclosure by Koi Security, steps have been taken to neutralize the immediate threat. The malicious domain has been taken down, preventing the add-in from communicating with the attacker’s servers. Microsoft has been notified of the findings.

For users and system administrators, security recommendations include auditing and removing any unused or unnecessary add-ins from Microsoft Outlook and other office productivity software. Enforcing multi-factor authentication (MFA) for all Microsoft and corporate accounts remains one of the most effective defenses, as it would prevent the use of stolen passwords alone to gain access.

Looking Ahead

Security analysts anticipate that other threat groups may attempt to replicate this supply chain attack method, targeting other abandoned or poorly maintained software extensions. The cybersecurity community is expected to increase scrutiny on the lifecycle management of third-party add-ins and plugins across major platforms. Official guidance from Microsoft regarding the security review process for add-ins and measures to handle deprecated components is likely to be closely monitored in the coming weeks.

Source: Koi Security