First Malicious Outlook Add-In Discovered in the Wild After Abandoned Domain Hijack Steals 4,000 Credentials

Researchers at Koi Security have discovered what they describe as the first known malicious Microsoft Outlook add-in detected in the wild — a supply chain attack that exploited an abandoned developer domain to serve a phishing kit directly inside Outlook, stealing over 4,000 Microsoft credentials.

The campaign, codenamed AgreeToSteal, targeted users of AgreeTo, a legitimate Outlook add-in designed for calendar sharing that was last updated in December 2022 before being abandoned by its developer.

How the Attack Worked

The attack exploits a fundamental architectural weakness in how Microsoft Office add-ins operate. Add-ins use a manifest file that declares a URL, and the content at that URL is fetched and rendered in real-time inside an iframe within Outlook every time the add-in is opened. Microsoft reviews the manifest during initial submission to the Office Store but performs no ongoing monitoring of what the referenced URL actually serves afterward.

When the original AgreeTo developer abandoned the project around 2023, their Vercel deployment at outlook-one.vercel[.]app became claimable. An unknown attacker seized the domain and replaced the legitimate add-in content with a phishing kit displaying a fake Microsoft sign-in page.

Entered credentials were exfiltrated via the Telegram Bot API before victims were redirected to the real Microsoft login page. The infrastructure remains live as of publication, and the add-in is still listed in the Microsoft Store.

Worse Than Credential Theft

Koi warns the impact could have been far more severe. The AgreeTo add-in is configured with ReadWriteItem permissions, granting the ability to read and modify user emails. An attacker could have deployed JavaScript to covertly siphon entire mailbox contents rather than simply phishing for passwords.

"Office add-ins are fundamentally different from traditional software," said Idan Dardikman, co-founder and CTO of Koi Security. "They don't ship a static code bundle. The manifest simply declares a URL, and whatever that URL serves at any given moment is what runs inside Outlook."

A Systemic Marketplace Problem

The vulnerability mirrors supply chain attacks already seen in browser extensions, npm packages, and IDE plugins — trusted distribution channels where content can change after approval. What makes Office add-ins particularly dangerous is their execution context: they run inside Outlook where users handle their most sensitive communications, through Microsoft's own store which carries implicit trust.

Koi recommends Microsoft implement content change detection to trigger re-reviews, domain ownership verification, automatic delisting of long-abandoned add-ins, and visible installation counts to assess blast radius.

The structural weakness is not unique to Microsoft. Open VSX recently announced plans to enforce security checks for VS Code extensions, and Microsoft's own VS Code Marketplace now performs periodic bulk rescanning. But the core problem persists across all marketplaces that host remote dynamic dependencies: approve once, trust forever.

Recommendation

Organizations should audit installed Outlook add-ins across their environment and remove any that are no longer actively maintained. Implement conditional access policies restricting add-in installation to IT-approved lists only. Monitor for add-ins with ReadWriteItem or higher permissions. The broader lesson applies to all marketplace-distributed extensions — browser, IDE, and Office — where abandoned projects represent hijackable attack surface.