“Microsoft reviews the manifest, signs it, and lists the add-in in their store. But the actual content – the UI, the logic, everything the user interacts with – is fetched live from the developer’s server every time the add-in opens,” said Koi Security’s researchers.
Orphaned URL
By grabbing the abandoned subdomain, the attacker gained control of whatever the URL in the original manifest pointed to. This content was replaced with a new URL pointing to a phishing kit comprising a fake Microsoft sign-in page for password collection, an exfiltration script, and a redirect. The original manifest also granted the attacker permission to read and modify emails.
“They didn’t submit anything to Microsoft. They weren’t required to pass any review. They didn’t create a store listing. The listing already existed – Microsoft-reviewed, Microsoft-signed, Microsoft-distributed. The attacker just claimed an orphaned URL, and Microsoft’s infrastructure did the rest,” said Koi Security.
Read the full article here
