First Malicious Outlook Add-In Ever Detected in the Wild Steals 4,000+ Credentials

You know how security researchers have been warning about browser extensions for years? The sketchy permissions, the supply chain risks, the potential for hijacking? Well, Microsoft Outlook add-ins just joined that party. And the welcome gift was 4,000 stolen credentials.

Koi Security dropped a bombshell this week with their discovery of what they're calling "AgreeToSteal"—the first known malicious Outlook add-in ever detected in the wild. The twist that makes this story genuinely unsettling is that the original developer didn't do anything wrong. They built a legitimate tool, published it through Microsoft's official store, passed Microsoft's review process, and then moved on with their life. The attack happened because of what came after.

AgreeTo was a real product. A meeting scheduling tool that let users sync availability across different calendars, complete with Microsoft Graph API integration, Google Calendar support, and even Stripe billing. The developer maintained an active GitHub repo and published the Outlook add-in to Microsoft's Office Add-in Store in December 2022. A companion Chrome extension picked up over a thousand users and a 4.71-star rating. This wasn't malware disguised as software. It was software that worked.

Then development stopped. The last Chrome extension update shipped in May 2023. The developer's domain expired. By mid-2024, users were leaving confused reviews asking if the project had died. Google eventually removed the abandoned Chrome extension in February 2025. But the Outlook add-in? It stayed listed in Microsoft's store, still pointing to a Vercel URL that no longer belonged to anyone.

That's where things went sideways. At some point after the developer abandoned the project, their Vercel deployment was deleted, and the subdomain outlook-one.vercel.app became claimable. An attacker claimed it. They deployed a four-page phishing kit—a fake Microsoft sign-in page, a password collection page, an exfiltration script, and a redirect—and Microsoft's own infrastructure started serving it directly inside Outlook's sidebar.

Understanding why this worked requires understanding how Office add-ins actually function. They're not installed code in the traditional sense. They're URLs. A developer submits a manifest file to Microsoft—essentially an XML document that says "load this URL in an iframe inside Outlook." Microsoft reviews the manifest, signs it, and lists the add-in in their store. But the actual content—the interface, the logic, everything the user interacts with—gets fetched live from the developer's server every time the add-in opens.

Microsoft blessed the AgreeTo manifest once, back in December 2022. They never check what that URL serves again. Whatever outlook-one.vercel.app delivers at runtime is what executes inside Outlook. If the developer pushes a bad update, it's live immediately. If someone else takes control of that URL, they control what every user of that add-in sees—inside Outlook's trusted sidebar, with whatever permissions the manifest originally requested.

And here's the kicker: AgreeTo had been granted ReadWriteItem permissions. That means the add-in can read and modify the user's emails. Perfectly reasonable for a legitimate meeting scheduler that needs to access calendar invitations. Considerably less reasonable for whoever controls that URL today. The attacker stuck with basic credential theft, but nothing stopped them from deploying JavaScript that silently reads the victim's inbox, exfiltrates sensitive messages, or sends phishing emails from the victim's own account. The permission was granted when the add-in was legitimate. It still applies now that it isn't.

When a victim opens the hijacked AgreeTo add-in in Outlook, they don't see a meeting scheduler. They see a Microsoft sign-in page rendered in Outlook's sidebar. They enter their email, then their password. A single JavaScript function collects the credentials along with the victim's IP address and sends everything to the attacker via Telegram's Bot API. No complex command-and-control infrastructure. Just a fetch() call to Telegram.

Then comes a loading spinner for a few seconds, followed by a seamless redirect to the real login.microsoftonline.com. The victim assumes they need to sign in again and goes about their day, completely unaware that their password was just harvested.

The phishing technique itself is almost embarrassingly basic. What makes it devastatingly effective is the context. It's running inside Outlook, delivered by Microsoft's own add-in infrastructure, behind a trusted permission prompt. This isn't some suspicious email with a weird link. This is Microsoft's store. Microsoft's UI. Microsoft's implicit trust.

Koi Security managed to access the attacker's exfiltration infrastructure, which was poorly secured. What they found went well beyond the Outlook add-in. Over 4,000 Microsoft account credentials had been stolen, along with credit card numbers, CVVs, PINs, and banking security answers used to intercept Interac e-Transfer payments. The same attacker operates at least twelve distinct phishing kits, each impersonating a different brand—Canadian ISPs, banks, webmail providers. This is a professional, multi-brand phishing operation. The Outlook add-in was just one distribution channel.

The attacker was actively testing stolen credentials while researchers were examining the infrastructure. The campaign was live as Koi published their findings.

For existing security tooling, this attack is nearly invisible. Email security gateways won't catch it because the phishing page doesn't arrive via email. Endpoint protection won't flag it because it's JavaScript running inside a legitimate Microsoft process. URL filtering will miss it because the phishing pages are hosted on vercel.app, which serves millions of legitimate applications.

What makes this particularly frustrating is that none of it is surprising. Security researchers at MDSec flagged Office add-ins as an attack surface back in 2019, demonstrating how they could be weaponized to gain persistent access to a victim's mailbox. Their post ended with a warning: "Microsoft also allow developers to push these add-ins to a store, where users can install them. I'm sure you can see the potential problem there."

Seven years later, AgreeTo is exactly the scenario they predicted.

Microsoft has since removed the add-in from their store following Koi's report. Vercel has received abuse reports for the phishing domain. Telegram has been notified about both the bot and the operator account. Affected victims whose credentials were found in the bot's message history have been notified where possible.

If you have AgreeTo installed in Outlook, remove it immediately and reset your Microsoft password. But the broader lesson here extends beyond one abandoned side project. Office add-ins are remote dynamic dependencies. Their content can change at any time, making point-in-time audits insufficient. The next dead project waiting to be hijacked is probably already sitting in your organization's installed add-ins, pointing to a URL that nobody's watching anymore.