A hijacked Outlook add-in named AgreeTo has been used to steal Microsoft credentials via a phishing page, highlighting supply chain risks in official marketplaces.
Security researchers at Koi Security have uncovered the first known malicious Microsoft Outlook add-in actively stealing credentials. Dubbed AgreeToSteal, this attack compromised over 4,000 Microsoft accounts by exploiting an abandoned calendar integration tool still listed in Microsoft's official Marketplace.
How the Attack Worked
- Abandoned Add-In: AgreeTo, last updated in December 2022, was a legitimate calendar management tool.
- Domain Hijack: Attackers claimed the add-in's expired Vercel domain (
outlook-one.vercel[.]app), which hosted its dynamic content. - Phishing Kit Deployment: The hijacked domain served a fake Microsoft login page capturing credentials.
- Credential Exfiltration: Stolen credentials were sent to attackers via Telegram's Bot API before redirecting victims to the real login page.
Critical Security Gap
According to Idan Dardikman, CTO of Koi Security, this attack exploits a structural flaw in Microsoft's add-in ecosystem: "Office add-ins declare a URL in their manifest file. Whatever that URL serves at any given moment runs inside Outlook after initial approval. Microsoft signed AgreeTo's manifest in 2022, but that same URL now hosts a phishing kit."
The add-in's ReadWriteItem permissions could have enabled even more severe attacks, including full mailbox access. Microsoft currently reviews manifests during submission but doesn't monitor subsequent content changes at the declared URLs.
Practical Recommendations
For Microsoft:
- Implement automatic re-reviews when add-in URLs return changed content
- Verify domain ownership continuity and flag transferred infrastructure
- Delist add-ins unupdated beyond a defined timeframe (e.g., 18 months)
- Display installation counts to prioritize response efforts
For Organizations:
- Audit installed Outlook add-ins (Microsoft admin guidance)
- Remove abandoned or low-usage add-ins
- Enforce phishing-resistant MFA for all Microsoft accounts
- Monitor for suspicious inbox rules or forwarding settings
This incident mirrors vulnerabilities in other marketplaces like VS Code extensions. As Dardikman notes: "The structural problem is the same across all platforms hosting remote dynamic dependencies—approve once, trust forever." Microsoft has been contacted for comment regarding mitigation timelines.
Comments
Please log in or register to join the discussion