A blind spot in Microsoft’s app and add-in marketplace security allowed an eagle-eyed hacker to hijack an abandoned Outlook add-in to carry out phishing attacks that compromised 4,000 users, researchers have discovered. The app in question, AgreeTo, is, or was, a meeting scheduling tool that first appeared in 2022 but was abandoned at some point after that by its developer. Despite this, the add-in continued to be listed on Microsoft’s site. A hacker noticed the change in its status and hijacked the dead add-in and its 4.71-star rating to conduct a phishing campaign that the company which uncovered the attack, plug-in security company Koi Security, later discovered had successfully stolen th...