From Outlook Add‑ins to Promptware: The Expanding Attack Surface

February 12, 2026 Faeem BLOGS 0

Two recent discoveries highlight how attackers are exploiting both traditional software ecosystems and emerging AI platforms to compromise users in ways that feel almost invisible.

Outlook Add‑in Hijack: AgreeTo

  • What happened: A once‑legitimate open‑source meeting scheduler, AgreeTo, was abandoned by its developer. Attackers claimed its orphaned hosting URL and deployed a phishing kit.
  • Impact: Over 4,000 Microsoft account credentials, credit card numbers, and banking security answers were stolen.
  • Why it matters: Office add‑ins are “remote dynamic dependencies”—they load external URLs in iframes. Microsoft reviews manifests only at submission, not continuously. This creates a supply chain blind spot where trusted tools can silently turn malicious years later.

Promptware: AI as a Sleeper Agent

  • Discovery: Researchers from Ben‑Gurion University, Tel Aviv University, and Harvard demonstrated “Promptware”—malicious instructions hidden in text that AI assistants read.
  • Case study: A simple Google Calendar invite tricked Gemini into streaming a victim’s camera via Zoom, triggered by everyday phrases like “Thank you” or “Great.”
  • Capabilities: Promptware can establish persistence, move laterally (open apps, smart home devices), and execute physical actions—all without malware installation.
  • Why it matters: As AI assistants gain control over apps and devices, attackers gain new ways to weaponize them through indirect prompt injection.

Shared Lessons

  • Trust is fragile: Whether it’s an abandoned add‑in or a calendar invite, attackers exploit the assumption that trusted platforms are safe.
  • Continuous validation is key: Vendors must monitor hosted content and AI inputs beyond initial approval.
  • User vigilance matters: Unexpected login prompts or suspicious invites should be treated with caution—even inside trusted ecosystems.
  • Defensive innovation: Security teams must adapt to both supply chain risks and AI‑driven threats, building detection for unusual behaviors like IRC‑style connections, short‑cycle cron jobs, or AI‑triggered app launches.

Final Thought

The AgreeTo compromise and Promptware research show that attackers don’t need to break in—they wait for us to open the door. Whether through abandoned infrastructure or manipulated AI prompts, the attack surface is expanding in ways that challenge traditional defenses. The future of cybersecurity will depend on continuous trust validation, smarter monitoring, and proactive AI safety.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.