Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Outlook security. Show all posts
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
Microsoft Outlook security
Bug Fixes Cyber Attacks Microsoft Microsoft Outlook security

Microsoft Probes Outlook Bug Blocking Encrypted Emails Across Tenants

 

Microsoft is investigating a newly identified issue that prevents users of the classic Outlook client from opening encrypted emails sent by other organizations. 

The company confirmed the problem in a recently updated support document, noting that the bug affects customers across all Office release channels. 

According to Microsoft, users attempting to access such emails may encounter the error message: “Configuring your computer for Information Rights Management.” The glitch impacts OMEv2 (Office Message Encryption version 2) messages when sent across different tenants, creating disruptions for enterprise communication. 

Temporary workaround provided 

While the root cause is still under review, Microsoft has issued a temporary fix. Impacted organizations can either exclude external users from Conditional Access policies or enable cross-tenant settings that allow authentication tokens to be trusted between Entra tenants. 

The company recommends the second option as the simpler solution. Administrators can enable cross-tenant access by navigating to the “Inbound access settings – Default settings” page in the Microsoft Entra admin center, selecting “Trust settings,” and then enabling “Trust multifactor authentication from Microsoft Entra tenants.” 

Microsoft cautioned, however, that this workaround only ensures encrypted emails sent from an organization can be opened by others. 

To access encrypted messages received from a different tenant, the sending organization must also apply the same configuration. Ongoing investigation The Outlook and Purview teams are currently working on a permanent resolution. 

Microsoft has assured customers that updates will be shared once more information is available. 

This is the latest in a string of Outlook-related bugs addressed by Redmond (a global headquarter of Microsoft) this year. 

In June, the company resolved a crash affecting the classic Outlook client when opening or composing emails. Later, in August, it mitigated an Exchange Online issue that blocked mobile users relying on Hybrid Modern Authentication. 

With encrypted communications becoming central to enterprise security, a swift resolution will be crucial to ensure seamless cross-tenant collaboration.
Read more »
Microsoft Outlook security
Advanced persistent threats (APT) Cyber-Espionage Data malware Malware Detection Microsoft Outlook security

Cyber-Espionage Malware FinalDraft Exploits Outlook Drafts for Covert Operations

 

A newly identified malware, FinalDraft, has been leveraging Microsoft Outlook email drafts for command-and-control (C2) communication in targeted cyberattacks against a South American foreign ministry.

Elastic Security Labs uncovered the attacks, which deploy an advanced malware toolset comprising a custom loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. By exploiting Outlook drafts instead of sending emails, the malware ensures stealth, allowing threat actors to conduct data exfiltration, proxying, process injection, and lateral movement while minimizing detection risks.

The attack initiates with the deployment of PathLoader—a lightweight executable that runs shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. PathLoader incorporates security mechanisms such as API hashing and string encryption to evade static analysis.

Stealth Communication via Outlook Drafts

FinalDraft facilitates data exfiltration and process injection by establishing communication through Microsoft Graph API, transmitting commands via Outlook drafts. The malware retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration and stores it in the Windows Registry for persistent access. By leveraging drafts instead of sending emails, it seamlessly blends into Microsoft 365 network traffic, evading traditional detection mechanisms.

Commands from the attacker appear in drafts labeled r_, while responses are stored as p_. Once executed, draft commands are deleted, making forensic analysis significantly more challenging.

FinalDraft supports 37 commands, enabling sophisticated cyber-espionage activities, including:

  • Data exfiltration: Extracting sensitive files, credentials, and system information.
  • Process injection: Running malicious payloads within legitimate processes such as mspaint.exe.
  • Pass-the-Hash attacks: Stealing authentication credentials to facilitate lateral movement.
  • Network proxying: Establishing covert network tunnels.
  • File operations: Copying, deleting, or modifying files.
  • PowerShell execution: Running PowerShell commands without launching powershell.exe.

Elastic Security Labs also detected a Linux variant of FinalDraft, which utilizes Outlook via REST API and Graph API while supporting multiple C2 communication channels, including HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based exchanges.

The research team attributes the attack to a campaign named REF7707, which primarily targets South American governmental entities. However, infrastructure analysis indicates links to Southeast Asian victims, suggesting a larger-scale operation. The investigation also revealed an additional undocumented malware loader, GuidLoader, designed to decrypt and execute payloads in memory.

Further examination showed repeated attacks on high-value institutions via compromised telecommunications and internet infrastructure in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was found hosting malware payloads, potentially indicating a prior compromise or a foothold in a supply chain attack.

Security teams can utilize YARA rules provided in Elastic’s reports to detect and mitigate threats associated with GuidLoader, PathLoader, and FinalDraft. The findings underscore the increasing sophistication of cyber-espionage tactics and the need for robust cybersecurity defenses.
Read more »
Subscribe to: Comments (Atom)