Microsoft
Analysis of the Microsoft Outlook add-in credential theft affecting 4,000 user accounts.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Microsoft
American multinational technology corporation producing software, cloud services, and hardware including the Microsoft 365 productivity suite.
Sector
Technology
Region
Global
Date of Incident
Prior to February 2026 (exact date not disclosed)
Date Disclosed
February 2026
Estimated Impact
4,000 user accounts
Data Types Exposed
Credentials (email/password combinations) harvested via malicious Outlook add-in
Attack Type
Phishing
Attack Vector
Malicious Outlook add-in used to harvest credentials
Current Status
Incident contained. Malicious add-in removed. Affected accounts secured.
Severity Assessment
Moderate. While 4,000 accounts is relatively small, the attack vector via a trusted platform add-in highlights an expanding attack surface that could scale significantly.
What Happened
In February 2026, Microsoft disclosed that approximately 4,000 user accounts were compromised via a malicious Outlook add-in used to harvest credentials.
The incident has been contained. While small in scale, it illustrates the growing attack surface of browser and email extensions as an entry point for credential theft.
Timeline
February 2026
Microsoft discloses credential theft via malicious Outlook add-in affecting 4,000 accounts
February 2026
Incident contained; malicious add-in removed from marketplace
Impact and Risk Assessment
For Affected Individuals
4,000 users had their Microsoft credentials harvested through a malicious Outlook add-in, potentially enabling access to email, cloud storage, and other Microsoft 365 services.
For Organisations
Organisations using Microsoft 365 should assess whether any of their users installed the malicious add-in.
Compromised Microsoft 365 credentials can provide access to email, SharePoint, Teams, and other enterprise services.
Regulatory Context
Depending on the data accessible through compromised accounts, various data protection regulations may apply including GDPR for EU users.
What Should You Do?
If You Are a Potentially Affected Individual
Review your installed Outlook add-ins and remove any you do not recognise. Change your Microsoft account password if you suspect compromise.
If You Are a Security or Risk Professional
Implement policies to restrict which add-ins and extensions are permitted in your Microsoft 365 environment.
Use conditional access policies and sign-in risk detection to identify and block suspicious authentication attempts from compromised credentials.
Learnings and Recommendations
Browser and email extensions represent an expanding attack surface. Organisations should review and restrict which add-ins and extensions are permitted in their environments.
Even small-scale credential harvesting incidents can serve as initial access for broader compromises.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.