Summary

Cybersecurity researchers have uncovered the first known malicious Microsoft Outlook add-in actively used in the wild. This supply chain attack involved an attacker taking over a domain linked to a legitimate but abandoned add-in to deploy a fake Microsoft login page, resulting in the theft of over 4,000 credentials.

Key Points

• The attack is the first known instance of a malicious Microsoft Outlook add-in.
• Discovered by Koi Security, the attack is categorized as a supply chain attack.
• An unknown attacker claimed a domain from an abandoned legitimate add-in.
• The attacker used the domain to serve a fake Microsoft login page.
• Over 4,000 Microsoft credentials were stolen as a result of this attack.

Analysis

This discovery highlights the potential risks associated with abandoned software components in supply chains, particularly in widely used applications like Microsoft Outlook. The attack demonstrates how attackers can exploit neglected domains to conduct phishing attacks, emphasizing the need for vigilance in monitoring and managing software dependencies and domains.

Conclusion

IT professionals should regularly audit and manage software dependencies and associated domains to prevent similar supply chain attacks. Additionally, implementing multi-factor authentication can mitigate the impact of credential theft.