Cybersecurity researchers have discovered what they describe as the first known malicious Microsoft Outlook add-in detected in the wild.
In an unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in and used it to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The cybersecurity company has codenamed the activity AgreeToSteal.
How the AgreeTo Add-In Became a Phishing Tool
The Outlook add-in at the center of the campaign is AgreeTo. Its developer advertises it as a way for users to connect different calendars in one place and share their availability via email. The developer last updated the add-in in December 2022.
Idan Dardikman, co-founder and CTO of Koi, told The Hacker News that the incident broadens the scope of supply chain attack vectors.
“This is the same class of attack we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval,” Dardikman said. “What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they’re distributed through Microsoft’s own store, which carries implicit trust.”
“The AgreeTo case adds another dimension: the original developer did nothing wrong. They built a legitimate product and moved on. The attack exploited the gap between when a developer abandons a project and when the platform notices. Every marketplace that hosts remote dynamic dependencies is susceptible to this.”
Exploiting the Office Add-In Architecture
At its core, the attack exploits how Office add-ins function and highlights the lack of periodic content monitoring for add-ins published to the Marketplace. According to Microsoft’s documentation, developers must create an account and submit their solution to the Partner Center, after which Microsoft subjects it to an approval process.
Moreover, Office add-ins rely on a manifest file that declares a URL. Each time a user opens the add-in inside an iframe within the application, Outlook fetches and serves the content in real time from the developer’s server. However, nothing prevents a bad actor from taking control of an expired domain.
In AgreeTo’s case, the manifest file pointed to a URL hosted on Vercel (“outlook-one.vercel[.]app”). After the developer deleted the Vercel deployment—effectively turning the project into abandonware around 2023—the domain became claimable. As of this writing, the infrastructure remains live.
Phishing Execution and Potential for Greater Abuse
The attacker leveraged this behavior to host a phishing kit at that URL. The page displayed a fake Microsoft sign-in screen, captured entered passwords, exfiltrated the credentials via the Telegram Bot API, and then redirected victims to the legitimate Microsoft login page.
However, Koi warns that the situation could have escalated further. Because the add-in operates with “ReadWriteItem” permissions—which allow it to read and modify users’ emails—a threat actor could have exploited this blind spot to deploy JavaScript capable of covertly siphoning mailbox contents.
Consequently, the findings once again underscore the need to rescan packaged tools uploaded to marketplaces and repositories to flag malicious or suspicious activity.
Dardikman explained that while Microsoft reviews the manifest during the initial submission phase, the company does not control the live content retrieved from the developer’s server each time a signed and approved add-in opens. As a result, the lack of continuous monitoring of what the referenced URL serves creates unintended security risks.
“Office add-ins are fundamentally different from traditional software,” Dardikman added. “They don’t ship a static code bundle. The manifest simply declares a URL, and whatever that URL serves at any given moment is what runs inside Outlook. In AgreeTo’s case, Microsoft signed the manifest in December 2022, pointing to outlook-one.vercel.app. That same URL is now serving a phishing kit, and the add-in is still listed in the store.”
Recommended Mitigations for Microsoft
To address the security risks posed by the threat, Koi recommends several steps Microsoft can take:
- Trigger a re-review when an add-in’s URL begins returning content that differs from what reviewers originally approved.
- Verify domain ownership to ensure that the add-in developer manages it, and flag add-ins whose domain infrastructure changes hands.
- Implement a mechanism to delist or flag add-ins that have not received updates beyond a certain time period.
- Display installation counts to help assess potential impact.
The Hacker News has reached out to Microsoft for comment and will update the story if the company responds.
A Broader Marketplace Problem
Importantly, the issue does not affect only the Microsoft Marketplace or Office Store. Last month, Open VSX announced plans to enforce security checks before publishers release Microsoft Visual Studio Code (VS Code) extensions to the open-source repository. Similarly, Microsoft conducts periodic bulk rescanning of packages in the VS Code Marketplace registry.
“The structural problem is the same across all marketplaces that host remote dynamic dependencies: approve once, trust forever,” Dardikman said. “The specifics vary by platform, but the fundamental gap that enabled AgreeTo exists anywhere a marketplace reviews a manifest at submission without monitoring what the referenced URLs actually serve afterward.”
Source: TheHackerNews
Read more at Impreza News
