Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Ravie LakshmananFeb 16, 2026

This week’s recap shows how small gaps are turning into big entry points. Not always through new exploits, often through tools, add-ons, cloud setups, or workflows that people already trust and rarely question.

Another signal: attackers are mixing old and new methods. Legacy botnet tactics, modern cloud abuse, AI assistance, and supply-chain exposure are being used side by side, whichever path gives the easiest foothold.

Below is the full weekly recap — a condensed scan of the incidents, flaws, and campaigns shaping the threat landscape right now.

⚡ Threat of the Week

Malicious Outlook Add-in Turns Into Phishing Kit — In an unusual case of a supply chain attack, the legitimate AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. This was made possible by seizing control of a domain associated with the now-abandoned project to serve a fake Microsoft login page. The incident demonstrates how overlooked and abandoned assets turn into attack vectors. “What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they’re distributed through Microsoft’s own store, which carries implicit trust,” Koi Security’s Idan Dardikman said. Microsoft has since removed the add-in from its store.

🔔 Top News

Google Releases Fixes for Actively Exploited Chrome 0-Day — Google shipped security updates for its Chrome browser to address a flaw that it said has been exploited in the wild. The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS that could result in arbitrary code execution. Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted,…

Source