Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.
In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The activity has been codenamed AgreeToSteal by the cybersecurity company.
The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email. The add-in was last updated in December 2022.
Idan Dardikman, co-founder and CTO of Koi, told The Hacker News that the incident represents a broadening of supply chain attack vectors.
“This is the same class of attack we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval,” Dardikman said. “What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they’re distributed through Microsoft’s own store, which carries implicit trust.”
“The AgreeTo case adds another dimension: the original developer did nothing wrong. They built a legitimate product and moved on. The attack exploited the gap between when a developer abandons a project and when the platform notices. Every marketplace that hosts remote dynamic dependencies is susceptible to this.”
At its core, the attack exploits how Office add-ins work and the lack of periodic content monitoring of add-ins published to the Marketplace. According to Microsoft’s documentation, add-in developers are required to create an account and submit their solution to the Partner Center, following which it is subjected to an approval process.
What’s more, Office add-ins make use of a manifest file that declares a URL, the contents of which are fetched and served in real-time from the developer’s server every time it’s opened within an iframe element inside the application. However, there is nothing stopping a bad actor from taking control of an expired domain.
In the case of AgreeTo, the manifest file pointed to a URL hosted on Vercel (“outlook-one.vercel[.]app”), which became claimable after the developer’s Vercel deployment was deleted due to it essentially becoming abandonware sometime around 2023.
The attacker took advantage of this behavior to stage a phishing kit on that URL that displayed a fake Microsoft sign-in page, capturing entered passwords, exfiltrating the details via the Telegram Bot API, and eventually redirecting the victim to the actual Microsoft login page. The infrastructure is still live as of writing.
But Koi warns that the incident could have been worse. Given that the add-in is configured with “ReadWriteItem” permissions – which allows it to read and modify the user’s emails – a threat actor could have abused this blind spot to deploy JavaScript that can covertly siphon a victim’s mailbox contents.
The findings once again bring to fore the need for rescanning packaged and tools uploaded to marketplaces and repositories to flag malicious/suspicious activity.
Dardikman said while Microsoft reviews the manifest during the initial submission phase, there is no control over the actual content that is retrieved live from the developer’s server once it’s signed and approved. As a result, the absence of continued monitoring of what the URL serves opens the door to unintended security risks every time an unsuspecting user opens the add-in.
“Office add-ins are fundamentally different from traditional software,” Dardikman added. “They don’t ship a static code bundle. The manifest simply declares a URL, and whatever that URL serves at any given moment is what runs inside Outlook. In AgreeTo’s case, Microsoft signed the manifest in December 2022, pointing to outlook-one.vercel.app. That same URL is now serving a phishing kit, and the add-in is still listed in the store.”
To counter the security issues posed by the threat, Koi recommends a number of steps that Microsoft can take –
- Trigger a re-review when an add-in’s URL starts returning different content from what it was during review.
- Verify ownership of the domain to ensure that it’s managed by the add-in developer, and flag add-ins where the domain infrastructure has changed hands.
- Implement a mechanism for delisting or flagging add-ins that have not been updated beyond a certain time period.
- Display installation counts as a way to assess impact.
It bears noting that the problem is not limited to Microsoft Marketplace or the Office Store alone. Last month, Open VSX announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open-source repository. Microsoft’s VS Code Marketplace, similarly, does periodic bulk rescanning of all packages in the registry.
“The structural problem is the same across all marketplaces that host remote dynamic dependencies: approve once, trust forever,” Dardikman said. “The specifics vary by platform, but the fundamental gap that enabled AgreeTo exists anywhere a marketplace reviews a manifest at submission without monitoring what the referenced URLs actually serve afterward.”
Update
As of February 12, 2026, the AgreeTo add-in is no longer available from Microsoft Marketplace. Users who are still using AgreeTo are advised to remove it as soon as possible, and to reset their Microsoft account passwords out of an abundance of caution.
“We have removed the add-in from our store, and have taken additional steps to protect potentially impacted customers,” a Microsoft spokesperson told The Hacker News via email. “We immediately take action when we detect malicious activity in our marketplace and will continue to enhance our ability to proactively detect those behaviors.”
(The story was updated after publication to include a response from Microsoft.)
