{“lastseen”:”2026-02-12T16:05:09″,”description”:”Researchers found a malicious Microsoft Outlook add-in which was able to steal 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. \\n\\nHow is it possible that the Microsoft Office Add-in Store ended listing an add-in that silently loaded a phishing kit inside Outlook\u2019s sidebar?\\n\\nA developer launched an add-in called AgreeTo, an open-source meeting scheduling tool with a Chrome extension. It was a popular tool, but at some point, it was abandoned by its developer, its backend URL on Vercel expired, and an attacker later claimed that same URL.\\n\\nThat requires some explanation. Office add-ins are essentially XML manifests that tell Outlook to load a specific URL in an iframe. Microsoft reviews and signs the manifest once but does not continuously monitor what that URL serves later.\\n\\nSo, when the outlook-one.vercel.app subdomain became free to claim, a cybercriminal jumped at the opportunity to scoop it up and abuse the powerful ReadWriteItem permissions requested and approved in 2022. These permissions meant the add-in could read and modify a user\u2019s email when loaded. The permissions were appropriate for a meeting scheduler, but they served a different purpose for the criminal.\\n\\nWhile Google removed the dead Chrome extension in February 2025, the Outlook add-in stayed listed in Microsoft’s Office Store, still pointing to a Vercel URL that no longer belonged to the original developer.\\n\\nAn attacker registered that Vercel subdomain and deployed a simple four-page phishing kit consisting of fake Microsoft login, password collection, Telegram-based data exfiltration, and a redirect to the real login.microsoftonline.com.\\n\\nWhat make this work was simple and effective. When users opened the add-in, they saw what looked like a normal Microsoft sign-in inside Outlook. They entered credentials, which were sent via a JavaScript function to the attacker\u2019s Telegram bot along with IP data, then were bounced to the real Microsoft login so nothing seemed suspicious.\\n\\nThe researchers were able to access the attacker\u2019s poorly secured Telegram-based exfiltration channel and recovered more than 4,000 sets of stolen Microsoft account credentials, plus payment and banking data, indicating the campaign was active and part of a larger multi-brand phishing operation.\\n\\n\\u003e \\”The same attacker operates at least 12 distinct phishing kits, each impersonating a different brand – Canadian ISPs, banks, webmail providers. The stolen data included not just email credentials but credit card numbers, CVVs, PINs, and banking security answers used to intercept Interac e-Transfer payments. This is a professional, multi-brand phishing operation. The Outlook add-in was just one of its distribution channels.\\”\\n\\n## What to do\\n\\nIf you are or ever have used the AgreeTo add-in after May 2023:\\n\\n * Make sure it\u2019s removed. If not, uninstall the add-in.\\n * Change the password for your Microsoft account.\\n * If that password (or close variants) was reused on other services (email, banking, SaaS, social), change those as well and make each one unique.\\n * Review recent sign\u2011ins and security activity on your Microsoft account, looking for logins from unknown locations or devices, or unusual times.\\n * Review other sensitive information you may have shared via email.\\n * Scan your mailbox for signs of abuse: messages you did not send, auto\u2011forwarding rules you did not create, or password\u2011reset emails for other services you did not request.\\n * Watch payment statements closely for at least the next few months, especially small \u201ctest\u201d charges and unexpected e\u2011transfer or card\u2011not\u2011present transactions, and dispute anything suspicious immediately.\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2026-02-12T14:35:13″,”modified”:”2026-02-12T14:35:13″,”type”:”malwarebytes”,”title”:”Outlook add-in goes rogue and steals 4,000 credentials and payment data”,”source”:””,”references”:””,”id”:”MALWAREBYTES:58BD664B67702086B41A44B39AC7E31F”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/outlook-add-in-goes-rogue-and-steals-4000-credentials-and-payment-data”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-12T16:05:09″,”description”:”Researchers found a malicious Microsoft Outlook add-in which was able to steal 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. \\n\\nHow…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-40600","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n