Malicious Outlook Add-in Breaches 4,000 Microsoft Accounts via Trusted Store

A hijacked Outlook add-in called AgreeTo transformed into AgreeToSteal, siphoning over 4,000 Microsoft passwords through AppSource’s official marketplace. The attacker claimed abandoned web resources after the original developer went dark in December 2022, exploiting a critical flaw: Microsoft reviews add-in manifests once but never re-validates code updates hosted on external servers. Users encountered fake login pages disguised as calendar features, with stolen credentials flowing through Telegram bots alongside credit card data and banking details. Microsoft yanked the add-in immediately, though the incident exposes deeper architectural vulnerabilities worth examining.

A trusted Outlook add-in with nearly five stars on Microsoft’s official store quietly transformed into a credential-stealing machine, siphoning over 4,000 Microsoft account passwords before security researchers caught on.

The AgreeTo calendar integration tool, once a legitimate productivity helper, became what Koi Security now calls AgreeToSteal—the first confirmed malicious Outlook add-in discovered in the wild. The transformation happened not through sophisticated hacking, but through simple abandonment. When the original developer stopped maintaining the project in December 2022, a threat actor noticed something valuable: the add-in’s web resources loaded from a Vercel-hosted URL that nobody owned anymore. They claimed it. Just like that, thousands of users who trusted Microsoft’s vetting process were running compromised code inside their email clients.

Here’s where Microsoft’s approval architecture shows its cracks. Add-ins aren’t standalone apps scrutinised with every update—they’re fundamentally URLs pointing to developer servers. Microsoft reviews the initial manifest, signs off, then trusts those external resources will remain benign forever. No ongoing verification. No re-approval needed when content changes. The hijacker exploited this implicit trust perfectly, reusing an already-approved listing without submitting anything new.

Microsoft approves the manifest once, then assumes external resources will stay safe forever—no updates trigger review, no ongoing verification happens.

For unsuspecting users, the experience shifted dramatically. Instead of calendar scheduling features, they encountered a convincing fake Microsoft login page embedded right in their Outlook sidebar. Enter credentials, hit submit, and watch everything flow through a Telegram bot API straight to the attacker—complete with IP addresses for additional context. Victims then got redirected to the real Microsoft login to avoid raising immediate suspicion. Smooth operation, minimal friction.

The stolen haul extended beyond those 4,000 Microsoft accounts. Koi researchers accessed the exfiltration channel and found credit card numbers, CVVs, PINs, banking security answers, and Interac e-Transfer details from at least twelve additional phishing kits targeting banks, ISPs, and webmail services. This wasn’t an opportunistic amateur—this was someone running a credential harvesting operation across multiple trusted channels.

The attack vector feels uncomfortably familiar. Browser extensions get compromised. NPM packages hide malicious code. Now Office add-ins join the supply chain vulnerability parade. The common thread? Trusted distribution channels where verification happens once, then everyone assumes safety forever. AgreeTo had been available on the official Microsoft Office Add-in Store since December 2022, giving the later-compromised listing an established presence that further bolstered user confidence. The incident underscores how abandoned legitimate software can become weaponized when attackers seize control of expired infrastructure.

Thankfully, the attacker didn’t exploit the add-in’s ReadWriteItem permissions, which would have permitted reading and modifying emails. That potential mailbox siphoning capability sat unused, though Koi observed active testing of stolen credentials during their investigation.

Microsoft removed the add-in immediately after notification. For affected users, the playbook remains familiar: change passwords immediately, activate multifactor authentication, review account activity for suspicious sign-ins or altered settings. The 4,000 victims received direct warnings from Koi Security.

The incident exposes a fundamental tension in software ecosystems: convenience demands trust, but trust without verification creates attack surfaces. Microsoft’s add-in architecture prioritises developer flexibility over continuous security validation. That calculation just got markedly more expensive.

Final Thoughts

The recent breach affecting 4,000 Microsoft accounts through a malicious Outlook add-in underscores a significant vulnerability: even trusted platforms can be compromised. This incident reveals that users often assume that applications from official stores are secure, making Microsoft’s add-in ecosystem a target for attackers. To safeguard against such threats, organizations must regularly audit their third-party integrations, including those from seemingly legitimate sources.

The Computer Super Heroes Team can assist your organization in navigating these security challenges by implementing comprehensive audits and enhancing your defenses against potential breaches. Don’t wait for an incident to occur—take proactive measures to protect your digital environment.

Click on our contact us page to get in touch and learn how we can help bolster your security today!