Malicious AgreeTo Outlook Add-In Hijacked to Steal 4,000 Microsoft Credentials
A legitimate Outlook add-in, AgreeTo, was hijacked by threat actors and repurposed as a phishing kit, resulting in the theft of over 4,000 Microsoft account credentials, along with credit card details and banking security answers. Originally developed as a meeting scheduling tool, the add-in was published on Microsoft’s Office Add-in Store in December 2022 by an independent developer who later abandoned the project leaving its Vercel-hosted URL (outlook-one.vercel.app) vulnerable to takeover.
Researchers at supply-chain security firm Koi Security discovered that the abandoned URL was claimed by a threat actor, who replaced the add-in’s legitimate content with a fake Microsoft sign-in page, a credential harvesting script, and an exfiltration mechanism. Once installed, the malicious add-in displayed a convincing phishing prompt in Outlook’s sidebar, tricking users into entering their credentials. Stolen data was transmitted via a Telegram bot API before victims were redirected to the real Microsoft login page to avoid suspicion.
The add-in retained ReadWriteItem permissions, allowing it to access and modify user emails, though no such activity was confirmed. Koi Security found that the attacker operates multiple phishing kits targeting ISPs, banks, and webmail providers. The compromised AgreeTo add-in remained available on Microsoft’s store until its removal on the day of disclosure.
This incident marks the first known case of malware distributed via Microsoft’s official Marketplace and the first malicious Outlook add-in detected in the wild. Microsoft’s review process for add-ins limited to initial manifest verification failed to detect the compromise, as the malicious content was loaded from the attacker-controlled server. No official response from Microsoft has been issued at this time.
Agree.com cybersecurity rating report: https://www.rankiteo.com/company/agreehq
"id": "AGR1770850632",
"linkid": "agreehq",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '4,000+ users',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology Company'},
{'industry': 'Software',
'name': 'AgreeTo Developer',
'size': 'Small/Individual',
'type': 'Independent Developer'}],
'attack_vector': 'Malicious Office Add-in',
'data_breach': {'data_exfiltration': 'Yes (via Telegram bot API)',
'number_of_records_exposed': '4,000+',
'personally_identifiable_information': 'Yes (credentials, '
'financial data)',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Microsoft account credentials',
'Credit card details',
'Banking security answers']},
'description': 'A legitimate Outlook add-in, AgreeTo, was hijacked by threat '
'actors and repurposed as a phishing kit, resulting in the '
'theft of over 4,000 Microsoft account credentials, along with '
'credit card details and banking security answers. The add-in '
'was originally developed as a meeting scheduling tool but was '
'abandoned by its developer, leaving its Vercel-hosted URL '
'vulnerable to takeover. The threat actor replaced the '
'add-in’s legitimate content with a fake Microsoft sign-in '
'page, credential harvesting script, and exfiltration '
'mechanism. Stolen data was transmitted via a Telegram bot API '
'before victims were redirected to the real Microsoft login '
'page to avoid suspicion.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Microsoft and the AgreeTo developer',
'data_compromised': '4,000+ Microsoft account credentials, credit '
'card details, banking security answers',
'identity_theft_risk': 'High (credentials, credit card details, '
'banking security answers)',
'payment_information_risk': 'High (credit card details exposed)',
'systems_affected': 'Microsoft Outlook with AgreeTo add-in '
'installed'},
'initial_access_broker': {'entry_point': 'Abandoned Vercel-hosted URL '
'(outlook-one.vercel.app)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Microsoft’s add-in review process failed to detect the '
'compromise due to reliance on initial manifest '
'verification. Abandoned projects with vulnerable '
'dependencies pose significant supply-chain risks. '
'Enhanced monitoring of third-party dependencies and '
'post-approval reviews are necessary to prevent similar '
'incidents.',
'motivation': 'Financial gain, credential theft',
'post_incident_analysis': {'corrective_actions': ['Removal of the malicious '
'add-in from the store.',
'Potential improvements to '
'Microsoft’s add-in review '
'process.'],
'root_causes': ['Abandoned project with vulnerable '
'third-party dependency (Vercel '
'URL).',
'Inadequate post-approval '
'monitoring of add-ins in '
'Microsoft’s Office Add-in Store.',
'Over-reliance on initial manifest '
'verification without dynamic '
'content checks.']},
'recommendations': ['Implement continuous monitoring of add-ins post-approval '
'to detect malicious updates.',
'Enforce stricter controls on abandoned projects and '
'third-party dependencies.',
'Enhance user awareness of phishing risks associated with '
'Office add-ins.',
'Improve incident response protocols for supply-chain '
'attacks.'],
'references': [{'source': 'Koi Security'}],
'response': {'containment_measures': 'Removal of the malicious add-in from '
'Microsoft’s Office Add-in Store',
'third_party_assistance': 'Koi Security (supply-chain security '
'firm)'},
'title': 'Malicious AgreeTo Outlook Add-In Hijacked to Steal 4,000 Microsoft '
'Credentials',
'type': 'Phishing',
'vulnerability_exploited': 'Abandoned Vercel-hosted URL takeover'}