A legitimate Outlook add-in called AgreeTo became the first documented malicious plugin in Microsoft's Office Store after attackers hijacked its abandoned hosting URL, transforming the 4.71-star rated meeting scheduler into a credential harvesting operation that compromised over 4,000 users. The original developer deleted the hosting address without removing the approved add-in, allowing attackers to deploy phishing kits that captured login credentials, IP addresses, and banking information during retaining full email access permissions. Microsoft removed AgreeTo only after security researchers discovered the breach and notified affected accounts, exposing how trusted marketplace software can weaponize implicit platform endorsements when developers abandon projects without safeguards.
When a legitimate Outlook add-in is abandoned by its creator, what happens to the millions of users who installed it? In this instance, over 4,000 individuals discovered the answer the hard way when attackers hijacked AgreeTo, transforming a trusted calendar scheduler into a sophisticated credential harvesting operation.
AgreeTo began as precisely what the Microsoft ecosystem needed: an open-source meeting scheduler that allowed users to connect calendars and share availability through email. Published to the Office Add-in Store in December 2022, it earned a respectable 4.71-star rating and received genuine positive reviews. Users trusted it as a result of Microsoft's marketplace vouching for it.
Then the developer walked away, deleting the Vercel deployment and leaving the hosting URL—outlook-one.vercel.app—abandoned and ripe for exploitation. This is where Microsoft's vetting process reveals a critical blind spot. The company reviews add-in manifests during initial submission but performs no ongoing verification of live content afterwards. An attacker simply claimed the abandoned URL without submitting anything new to Microsoft, deploying a phishing kit directly to an already approved hosting address.
The add-in remained listed in the store even though its creator vanished into the digital ether. The attack itself was brutally simple. When victims opened AgreeTo from their trusted Outlook sidebar, they encountered a convincing fake Microsoft login page. Scripts harvested credentials, IP addresses, credit card numbers, and banking security question answers, particularly targeting Canadian institutions. Everything flowed through Telegram's bot API straight to the attacker, who then redirected victims to the real Microsoft login to minimise suspicion.
It was smooth enough that most probably never realised they had been compromised. Koi Security uncovered the operation through the attacker's poorly secured exfiltration channel and recovered the complete dataset. This marks the first documented real-world malicious Outlook add-in—a dubious distinction that should concern anyone who installs productivity tools without a second thought.
The add-in retained ReadWriteItem permissions, technically allowing email reading and modification, though the primary focus remained on credential theft. Still, the potential for covert mailbox siphoning existed through JavaScript. Microsoft removed AgreeTo following Koi's report, and the security firm contacted all 4,000 victims.
However, the operator behind AgreeToSteal, as Koi codenamed the campaign, isn't exactly lying low. They're running at least twelve additional phishing kits targeting internet service providers, banks, and webmail platforms. Researchers discovered that attackers actively tested stolen credentials during the investigation period, demonstrating immediate exploitation of compromised accounts.
The broader lesson resonates for our community of tech users who rely on marketplace trust signals. Supply chain attacks are not just about compromised npm packages or poisoned software updates anymore. They're about squatting on abandoned infrastructure that still carries Microsoft's implicit endorsement. The incident underscores how trusted software can become malicious when developers abandon critical infrastructure without proper safeguards. Your favourite add-in could become tomorrow's data breach, and the platform won't know until someone's Telegram channel is discovered.
Final Thoughts
The recent incident involving a malicious Outlook add-in that compromised 4,000 Microsoft accounts underscores a significant vulnerability in Microsoft's add-in vetting process. This situation raises critical concerns about the security protocols in place within the store. As Microsoft addresses the issue by removing the malicious add-in and initiating mandatory password resets, it's crucial for users to review their installed add-ins and implement multi-factor authentication for enhanced security.
At Brisbane City Computer Repairs, we understand the importance of safeguarding your digital assets. Our expert team can assist you in auditing your installed add-ins and setting up robust security measures. Don’t leave your accounts vulnerable—click on our contact us page to reach out and ensure your systems are secure today!