“Microsoft opinions the manifest, indicators it, and lists the add-in of their retailer. However the precise content material – the UI, the logic, all the pieces the consumer interacts with – is fetched reside from the developer’s server each time the add-in opens,” stated Koi Safety’s researchers.
Orphaned URL
By grabbing the deserted subdomain, the attacker gained management of regardless of the URL within the authentic manifest pointed to. This content material was changed with a brand new URL pointing to a phishing package comprising a faux Microsoft sign-in web page for password assortment, an exfiltration script, and a redirect. The unique manifest additionally granted the attacker permission to learn and modify emails.
“They didn’t submit something to Microsoft. They weren’t required to cross any assessment. They didn’t create a retailer itemizing. The itemizing already existed – Microsoft-reviewed, Microsoft-signed, Microsoft-distributed. The attacker simply claimed an orphaned URL, and Microsoft’s infrastructure did the remaining,” stated Koi Safety.
