""Microsoft reviews the manifest, signs it, and lists the add-in in their store. But the actual content - the UI, the logic, everything the user interacts with - is fetched live from the developer's server every time the add-in opens," said Koi Security's researchers. Orphaned URL By grabbing the abandoned subdomain, the attacker gained control of whatever the URL in the original manifest pointed to."
"This content was replaced with a new URL pointing to a phishing kit comprising a fake Microsoft sign-in page for password collection, an exfiltration script, and a redirect. The original manifest also granted the attacker permission to read and modify emails. "They didn't submit anything to Microsoft. They weren't required to pass any review. They didn't create a store listing. The listing already existed - Microsoft-reviewed, Microsoft-signed, Microsoft-distributed. The attacker just claimed an orphaned URL, and Microsoft's infrastructure did the rest," said Koi Security."
Microsoft reviews and signs add-in manifests while the add-in UI and logic are loaded live from developer servers each time an add-in opens. When a developer abandons a subdomain, an attacker can claim the orphaned URL and replace the hosted content. An attacker-controlled URL can deliver a phishing kit with a fake Microsoft sign-in page, exfiltration scripts, and redirects. A signed manifest can still grant powerful permissions such as reading and modifying emails, enabling credential theft and data access. Attackers can leverage already-reviewed and listed add-ins without submitting new content to Microsoft.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]