What happened
Threat actors hijacked a legitimate Outlook add-in available through the Microsoft Store in a campaign that resulted in the theft of approximately 4,000 Microsoft accounts. According to the report, attackers inserted malicious code into the add-in’s package before it was published to the store, enabling the compromised extension to intercept account credentials when users signed into Microsoft services via Outlook. Once installed, the malicious add-in captured login information and transmitted it to attacker infrastructure under their control. Microsoft detected the unauthorized modification, removed the add-in from the Store, and began notifying affected users whose credentials were likely compromised. The incident demonstrates how software distribution channels can be abused when integrity checks or publisher controls are bypassed.
Who is affected
Approximately 4,000 Microsoft account holders who installed the hijacked Outlook add-in from the Microsoft Store are affected, as their account credentials were likely captured and misused by the attackers.
Why CISOs should care
The compromise of a trusted add-in distribution channel highlights risks inherent in third-party extensions and marketplace software, where malicious modifications can lead to credential theft and broader account compromise.
3 practical actions
- Audit installed add-ins and extensions. Review enterprise Outlook add-ins for unauthorized or suspicious packages.
- Monitor for account misuse. Detect unusual login activity linked to compromised Microsoft accounts.
- Strengthen publisher verification. Validate the integrity of software before allowing installation from any marketplace.