What Happened
In February 2026, Microsoft disclosed that approximately 4,000 user accounts were compromised via a malicious Outlook add-in used to harvest credentials.
The incident has been contained. While small in scale, it illustrates the growing attack surface of browser and email extensions as an entry point for credential theft.
Timeline
- February 2026 — Microsoft discloses credential theft via malicious Outlook add-in affecting 4,000 accounts
- February 2026 — Incident contained; malicious add-in removed from marketplace
Impact and Risk Assessment
For Individuals
4,000 users had their Microsoft credentials harvested through a malicious Outlook add-in, potentially enabling access to email, cloud storage, and other Microsoft 365 services.
For Organisations
Organisations using Microsoft 365 should assess whether any of their users installed the malicious add-in.
Compromised Microsoft 365 credentials can provide access to email, SharePoint, Teams, and other enterprise services.
Regulatory Context
Depending on the data accessible through compromised accounts, various data protection regulations may apply including GDPR for EU users.
What Should You Do?
For Individuals
- Review your installed Outlook add-ins and remove any you do not recognise. Change your Microsoft account password if you suspect compromise.
For Security Professionals
- Implement policies to restrict which add-ins and extensions are permitted in your Microsoft 365 environment.
- Use conditional access policies and sign-in risk detection to identify and block suspicious authentication attempts from compromised credentials.
Learnings and Recommendations
Browser and email extensions represent an expanding attack surface. Organisations should review and restrict which add-ins and extensions are permitted in their environments.
Even small-scale credential harvesting incidents can serve as initial access for broader compromises.