ANDRI.BLOG
Privacy
6 min read

The Add-ins Reading Your Email

That helpful browser extension or Outlook add-in might be harvesting everything you type. Here's how to audit what's watching you.

This week, security researchers discovered an Outlook add-in called AgreeTo had been hijacked to steal over 4,000 Microsoft account credentials. The add-in was legitimate once — a calendar sharing tool last updated in 2022. Someone bought the abandoned domain, replaced the authentication page with a phishing kit, and harvested logins from everyone still using it.

This wasn't a bug. It wasn't a vulnerability in Microsoft's code. It was a supply chain attack exploiting something most of us never think about: the extensions and add-ins quietly running in our browsers and email clients.

I want to talk about what these things can actually see, and what you can do about it.

What Extensions and Add-ins Actually Access

When you install a browser extension, you probably click through the permission prompt without reading it. I've done it too. But those permissions matter.

A typical extension might request:

"Read and change all your data on all websites" — This means everything. Every password you type. Every message you send. Your banking details. Health records. Private conversations. The extension sees it all in plaintext before encryption.

"Read your browsing history" — Where you go, when, how often. Patterns that reveal more than you'd think.

"Manage your downloads" — Can modify files you download before you see them.

Email add-ins are worse. An Outlook or Gmail add-in can:

  • Read every email in your inbox
  • See everyone you communicate with
  • Access your calendar and contacts
  • Send emails on your behalf

This is by design. Add-ins need these permissions to function. A grammar checker needs to read your text. A calendar tool needs to see your schedule. The problem is that the same permissions that enable helpful features also enable total surveillance.

The Abandoned Extension Problem

The AgreeTo attack worked because software gets abandoned but keeps running. The original developer stopped updating it in 2022. Someone else noticed, bought the expired domain, and weaponised the existing user base.

This happens constantly. Researchers have documented hundreds of extensions changing hands this way. Sometimes the new owner is legitimate. Sometimes they inject ads. Sometimes they steal credentials.

You might have extensions installed right now that:

  • Haven't been updated in years
  • Were sold to new owners
  • Had their domains expire and get bought by someone else
  • Are silently sending data to third parties

And you'd never know unless you actively checked.

How to Audit Your Browser Extensions

Open your browser's extension management page:

  • Chrome: chrome://extensions
  • Firefox: about:addons
  • Edge: edge://extensions

For each extension, ask yourself:

  1. Do I actually use this? If you can't remember what it does, remove it.

  2. When was it last updated? In Chrome, click "Details" on each extension to see the last update date. Anything over 12 months is concerning. Over 2 years is a red flag.

  3. What permissions does it have? Look at what data it can access. Does a coupon finder really need to "read all your data on all websites"?

  4. Who made it? Is there a legitimate company or developer behind it? Can you find their website?

  5. Is it open source? Open source extensions can be audited by anyone. That doesn't guarantee safety, but it helps.

My rule: if an extension hasn't been updated in a year, I remove it and find an alternative. Abandoned software is a liability.

Auditing Email Add-ins

In Outlook (desktop or web):

  • Click Get Add-ins or go to File > Manage Add-ins
  • Review what's installed
  • Check when each was last updated
  • Remove anything you don't actively use

In Gmail:

  • Go to Settings > See all settings > Add-ons
  • Review and remove unused ones

The AgreeTo attack specifically targeted Outlook add-ins. If you installed anything for calendar management or scheduling years ago, now would be a good time to check if it's still maintained.

What Legitimate Extensions Can Still Do

Even well-intentioned extensions from reputable companies collect data. That's often their business model.

Free extensions frequently:

  • Track your browsing for analytics
  • Sell aggregated data to advertisers
  • Include affiliate codes in your shopping
  • Phone home with usage statistics

This isn't necessarily malicious, but it's not what most people expect from a "free" tool.

Read the privacy policy. I know, nobody does this. But for extensions with access to your sensitive data, it's worth 5 minutes. Search for words like "share," "sell," "partners," and "anonymised."

"Anonymised" data often isn't. Researchers have repeatedly de-anonymised browsing data to identify individuals.

Safer Alternatives

For password management: Use a standalone password manager (Bitwarden, 1Password) rather than a browser extension that stores passwords. If you must use a browser extension, stick to the official one from your password manager.

For ad blocking: uBlock Origin is open source, well-audited, and doesn't sell data. It's one of the few extensions I fully trust.

For grammar checking: Consider using built-in browser spell check instead of third-party tools that read everything you type.

For email productivity: Native features in Outlook and Gmail have improved significantly. You might not need that scheduling add-in anymore.

The fewer extensions you have, the smaller your attack surface.

When Companies Require Add-ins

Some workplaces mandate specific extensions or add-ins. If your employer requires tools you're uncomfortable with, you have limited options:

  1. Ask IT about what data the tools collect
  2. Use separate browser profiles for work and personal browsing
  3. Assume everything you do in the work profile is monitored

This is especially relevant in Europe, where GDPR applies to employee data too. Your employer should be able to tell you what data workplace tools collect and why.

Signs Something Has Gone Wrong

Watch for:

  • Extensions you don't remember installing
  • Unexpected redirects or ads
  • Browser performance suddenly degrading
  • Your passwords being compromised despite good security hygiene
  • Unusual network activity

If you've been using an extension that recently changed ownership or started behaving differently, change any passwords you've entered while it was installed.

The Bigger Picture

The AgreeTo incident isn't an isolated case. It's a symptom of how software supply chains work. We install tools, forget about them, and trust they'll stay safe forever. They don't.

Extensions and add-ins sit in a privileged position — between you and everything you do online. A compromised extension is worse than malware because it's already inside your trusted environment, with permissions you granted.

The fix isn't complicated:

  1. Audit what you have installed
  2. Remove what you don't use
  3. Prefer actively maintained tools from known developers
  4. Re-check every few months

Five minutes of maintenance prevents the kind of slow credential bleed that caught 4,000 people this week.

What I'm Removing Today

I audited my own extensions while writing this. I found:

  • A PDF tool I haven't used in two years
  • A screenshot extension I forgot I installed
  • A "save to Notion" button that Notion's native web clipper replaced ages ago

All gone. My browser is faster, my attack surface is smaller, and I have three fewer things to worry about.

Your turn.

▸ TAGS
#privacy#extensions#add-ins#browser#email#supply-chain
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES