Cybersecurity researchers have uncovered what is believed to be the first malicious Microsoft Outlook add-in observed in active attacks. The discovery highlights a new evolution in supply chain threats targeting trusted software marketplaces.
According to security firm Koi Security, an unidentified attacker hijacked a previously legitimate but abandoned Outlook add-in domain to host a fraudulent Microsoft login page. The campaign resulted in the theft of more than 4,000 user credentials and has been internally named AgreeToSteal.
How the Attack Unfolded
The compromised add-in, called AgreeTo, was originally designed to help users manage multiple calendars and share availability via email. The product was last updated in December 2022.
Rather than exploiting a vulnerability in the code itself, the attacker took advantage of how Office add-ins function. Outlook add-ins operate using a manifest file that references a URL. Each time the add-in runs, content is dynamically loaded from that external server and displayed inside Outlook through an embedded frame.
When the original developer discontinued the project and deleted the associated Vercel deployment, the domain outlook-one.vercel[.]app became available for re-registration. The attacker claimed the domain and replaced the legitimate content with a phishing kit.
Credential Harvesting Through Fake Login Page
Once users launched the add-in, it presented a counterfeit Microsoft sign-in page. Entered credentials were captured and transmitted through the Telegram Bot API before victims were redirected to the real Microsoft login portal, minimizing suspicion.
While the immediate impact involved credential theft, researchers warn the potential damage could have been far greater. The add-in had been granted ReadWriteItem permissions, allowing it to read and modify user emails. This level of access could have enabled attackers to deploy malicious scripts capable of silently extracting mailbox contents.
Supply Chain Weakness in Marketplace Model
Security experts emphasize that this incident reveals a broader structural weakness in digital marketplaces. During submission, Microsoft reviews and signs the manifest file. However, once approved, the platform does not continuously monitor the live content served by the referenced URL.
This creates a security blind spot. If a domain expires or infrastructure ownership changes, a malicious actor can repurpose the URL while the add-in remains trusted and available in the store.
Idan Dardikman, co-founder and CTO of Koi Security, noted that similar risks have been observed in browser extensions, npm packages, and IDE plugins. The core issue lies in approving a reference once and trusting it indefinitely without verifying whether the hosted content changes over time.
Recommended Security Improvements
To mitigate such risks, Koi Security suggests several protective measures for software marketplaces:
- Trigger automatic re-reviews when an add-in URL begins serving content different from what was originally approved
- Validate ongoing domain ownership to ensure it remains under developer control
- Flag or remove add-ins that have not received updates for extended periods
- Display installation counts to help assess potential exposure
Broader Industry Implications
The issue is not exclusive to Microsoft’s ecosystem. Other platforms that host extensions or dynamic dependencies face similar risks. Open VSX recently announced plans to introduce stricter security validation before publishing extensions. Microsoft’s VS Code Marketplace also performs periodic bulk rescanning of hosted packages.
The AgreeTo incident demonstrates how trusted distribution channels can become attack vectors when abandoned infrastructure is not actively monitored. As organizations increasingly rely on marketplace-based software integrations, continuous validation and lifecycle management of add-ins and extensions become critical components of cybersecurity defense strategies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
