Cybersecurity researchers have identified what they describe as the first known malicious Microsoft Outlook add in discovered in the wild, exposing a new attack surface within Microsoft’s trusted ecosystem.According to security firm Koi Security, an unknown attacker hijacked the domain of a previously legitimate Outlook add in called AgreeTo and used it to host a counterfeit Microsoft login page. The campaign, codenamed AgreeToSteal, resulted in the theft of more than 4,000 Microsoft user credentials. AgreeTo was originally marketed as a productivity tool that allowed users to connect multiple calendars in one place and share availability through email. The add in was last updated in December 2022 and later became abandonware after its developer discontinued maintenance.
The incident highlights a supply chain weakness that extends beyond traditional software packages. Idan Dardikman, co founder and CTO of Koi Security, said the case represents a widening of attack vectors across trusted distribution platforms. Similar tactics have previously targeted browser extensions, npm packages, and IDE plugins, where approved software can later be altered without renewed scrutiny. Office add ins, however, introduce added concerns because they operate directly inside Outlook, where users handle sensitive communications and data. These add ins can request permissions to read and modify emails, making any compromise particularly serious. In this case, the original developer was not at fault. Instead, the attacker exploited the gap between project abandonment and platform oversight.
At the center of the attack is how Office add ins function. Developers submit a manifest file through Microsoft’s Partner Center for approval. Once signed off, the manifest declares a URL from which content is fetched dynamically each time the add in loads inside Outlook through an iframe. Microsoft reviews the manifest at submission, but the live content served from the declared URL is not continuously monitored. For AgreeTo, the manifest referenced a Vercel hosted address, outlook one.vercel.app. After the developer deleted the deployment around 2023, the domain became claimable. The attacker took control of it and deployed a phishing kit that displayed a fake Microsoft sign in page. Entered credentials were captured and exfiltrated via Telegram Bot API before victims were redirected to the legitimate Microsoft login portal. The malicious infrastructure remains active at the time of reporting.
Koi Security warned that the impact could have extended beyond credential harvesting. AgreeTo was configured with ReadWriteItem permissions, allowing it to read and modify user emails. A malicious operator could have leveraged this capability to silently extract mailbox data or inject harmful scripts. The researchers emphasized that the issue is structural and not limited to Microsoft Marketplace or Office Store. Marketplaces that rely on remote dynamic dependencies are vulnerable when approvals are granted once without ongoing monitoring of referenced URLs. Recently, Open VSX announced plans to enforce stricter security checks before extensions are published to its repository, and Microsoft’s Visual Studio Code Marketplace conducts periodic bulk rescanning of packages. Dardikman noted that without mechanisms to trigger re reviews when content changes, verify domain ownership, or flag abandoned add ins, similar risks will persist across software ecosystems that rely on externally hosted resources.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
