A malicious Outlook add-in called AgreeToSteal compromised over 4,000 Microsoft accounts by exploiting an abandoned developer URL—transforming a once-legitimate calendar-sharing tool into a credential-harvesting operation. The attacker claimed the orphaned Vercel endpoint, deployed a convincing fake login page, and silently collected usernames, passwords, and even credit card details via Telegram’s bot API. Microsoft’s one-time review process left the door wide open: content could change post-approval without triggering alarms. The attack highlights a chilling reality—even official app stores aren’t immune to supply chain hijacking, and the full extent of mailbox exploitation remains unknown for those keen to understand the complete breakdown.
A once-legitimate Outlook add-in has been weaponised into a credential-harvesting machine, siphoning over 4,000 Microsoft account passwords through the very storefront meant to protect users. As a result, user frustrations with Outlook clutter have grown significantly, leading many to abandon the platform altogether. This growing dissatisfaction highlights the urgent need for Microsoft to address these security issues and improve user experience. Without swift action, the potential loss of trust could push users to seek alternative solutions for their email management. As users have reported issues following the windows 11 update impact on outlook, many are concerned about potential vulnerabilities and reduced functionality in their email experience. This situation has intensified the calls for Microsoft to not only resolve current security flaws but also enhance the overall performance of Outlook. If these challenges remain unaddressed, the shift to competitor platforms could accelerate, leaving Microsoft struggling to retain its user base.
The AgreeTo add-in, originally designed for sharing calendars and availability, became the first known malicious Outlook add-in distributed through Microsoft’s official Store. Dubbed AgreeToSteal by Koi Security researchers who uncovered the scheme, this incident exposes a critical vulnerability in how Microsoft manages third-party Office extensions after their initial approval. These findings are particularly concerning in light of the increasing number of microsoft office zeroday vulnerabilities that could be exploited by malicious actors. As businesses rely heavily on these tools for communication and collaboration, the implications of such vulnerabilities could lead to widespread data breaches and unauthorized access. It is crucial for Microsoft to enhance their security protocols to safeguard users against these evolving threats.
Here’s where things get intriguing. Office add-ins don’t actually live inside the Microsoft Store like traditional apps. They’re essentially glorified bookmarks—manifests pointing to URLs hosted on developer servers. Microsoft reviews the add-in once during submission, then never checks again. The content can change completely without triggering any alarms.
Microsoft reviews Office add-ins once at submission, then never again—allowing developers to completely alter content without triggering any security checks.
That’s exactly what happened. AgreeTo was last updated in December 2022, then abandoned by its original developer while maintaining a respectable 4.71-star rating. The attacker didn’t need to compromise Microsoft’s review process or submit anything new. They simply claimed the orphaned Vercel URL—outlook-one.vercel.app—and deployed a convincing fake Microsoft sign-in page that appeared directly in Outlook’s sidebar.
Victims saw what looked like a legitimate credential prompt within their trusted email client. After entering usernames and passwords, the data streamed to the attacker via Telegram’s bot API, complete with victim IP addresses for good measure. Users were then redirected to the real Microsoft login, likely unaware that anything had gone wrong. This type of deception is alarmingly effective, as the dark tactics used by attackers often exploit users’ trust in commonly used applications. By mimicking familiar interfaces, they can trick even the most cautious individuals into revealing sensitive information. As cyber threats evolve, it becomes increasingly crucial for users to remain vigilant and informed about potential risks.
The scope extends beyond basic credentials. Koi Security’s investigation revealed the attacker was collecting credit card numbers, CVVs, PINs, and even banking security answers for Interac e-Transfer. During analysis, researchers watched the attacker actively testing stolen credentials in real-time—a sobering reminder that these weren’t going into some dusty database. the alarming discovery of 16 million paypal accounts compromised underscores the scale of the breach. As the investigation deepened, experts found that many of these accounts contained sensitive financial information, making them prime targets for further exploitation. This situation emphasizes the urgent need for users to enhance their security practices and remain vigilant against potential threats.
More concerning: the add-in retained ReadWriteItem permissions, theoretically allowing full access to read and modify mailbox contents. Whether the attacker exploited this capability remains unconfirmed, but the potential was there.
The operator behind AgreeToSteal runs roughly a dozen phishing kits targeting banks, ISPs, and webmail services. This wasn’t sophisticated nation-state tradecraft—just opportunistic supply chain exploitation, similar to compromised browser extensions or npm packages. The attacker chose the path of least resistance, relying on implicit trust in Microsoft-signed listings rather than complex command-and-control infrastructure.
Microsoft removed the add-in after Koi’s disclosure, but the fundamental weakness persists. Abandoned projects with claimed URLs can become trojan horses overnight. Microsoft’s initial review process only examines the manifest file during submission, leaving no ongoing verification mechanism to detect post-approval changes. The attack demonstrates how supply chain vulnerabilities can emerge from legitimate distribution channels when monitoring gaps exist between developer abandonment and platform oversight. For enterprise users especially, the lesson is clear: even official stores require scrutiny. If you’ve used third-party Outlook add-ins recently, credential monitoring isn’t paranoia—it’s basic hygiene. The trusted channel just became another attack surface.
Final Thoughts
The recent breach involving a malicious Outlook add-in has exposed vulnerabilities within trusted app ecosystems, emphasizing the need for heightened vigilance among users. Attackers are increasingly utilizing legitimate distribution channels to exploit weaknesses, raising concerns about the effectiveness of review processes for app vetting. This incident serves as a crucial reminder that even official marketplaces can harbor risks. It’s essential to scrutinize permissions carefully before installing any add-in, regardless of how professional it appears.
At PC Repairs North Lakes, we understand the importance of securing your digital environment. Our team is equipped to help you navigate and enhance your online safety, ensuring your inbox and devices remain protected against such threats. Don’t leave your security to chance—click on our contact us page to get in touch and learn how we can assist you today!
