Researchers from Koi Security have documented the first confirmed case of a malicious Outlook add-in being distributed directly through the official Microsoft Office Add-in Store. A previously legitimate extension, AgreeTo, was silently hijacked and converted into a fully fledged phishing kit, enabling attackers to steal more than 4,000 Microsoft accounts as well as sensitive financial information.
Malicious Outlook add-in distributed via trusted Microsoft Office Add-in Store
AgreeTo was initially promoted as a convenient Outlook add-in for scheduling meetings. Developed by an independent publisher, it had been available in the Microsoft Office Add-in Store since December 2022. Its presence in the official marketplace and prior legitimate functionality created a high level of trust among users and administrators.
Technically, Office add-ins are driven by a manifest file that specifies configuration and a URL endpoint from which the add-in loads its web-based content and logic. In the case of AgreeTo, the manifest pointed to a domain hosted on Vercel: outlook-one.vercel[.]app. Over time, the original developer effectively abandoned the project, but the add-in remained available in the store and continued to function for existing users.
How the AgreeTo Outlook add-in was turned into a phishing toolkit
Office add-in architecture: a blind spot after initial review
The core weakness exploited in this incident lies in the distribution and trust model of Office add-ins. When an add-in is first submitted, Microsoft validates and signs only the manifest file. After approval, all subsequent content and code the user interacts with are delivered directly from the developer’s external web server, with no continuous content vetting by Microsoft.
Attackers abused this model by gaining control over the URL defined in the AgreeTo manifest. Without altering the signed manifest itself, they replaced the legitimate scheduling interface with a phishing kit hosted at the same domain. From the perspective of the Microsoft store and endpoint security controls, the add-in remained the same trusted product, while its live content had been weaponized.
Attack chain: interface spoofing and Microsoft credential theft
According to Koi Security’s analysis, the compromised AgreeTo add-in began serving a fake Microsoft login page within Outlook’s task pane. When users launched the add-in, instead of the expected meeting scheduling UI, they were presented with a highly realistic Microsoft sign-in form requesting their account credentials.
The phishing page captured usernames, passwords and additional details, then exfiltrated them to the attackers via a Telegram bot API. Immediately after harvesting the data, victims were redirected to the legitimate Microsoft authentication page, reinforcing the illusion of a normal login process and significantly reducing the chance of user suspicion.
By gaining temporary access to the threat actor’s exfiltration channel, the researchers observed that the campaign had already compromised over 4,000 Microsoft accounts. Among the stolen data were payment card numbers and answers to security questions, expanding the impact well beyond email access to broader financial and identity-related risks.
Impact, permissions and links to broader phishing infrastructure
The hijacked add-in retained its original ReadWriteItem permission in Outlook, which allows reading and modifying email items. Although Koi Security did not find clear evidence that these privileges were actively abused, their presence significantly raised the potential damage, enabling scenarios such as covert manipulation of email threads, insertion of malicious links and lateral movement through reply and forward chains.
Infrastructure analysis indicated that the operator behind the AgreeTo campaign also managed at least a dozen additional phishing kits targeting internet service providers, financial institutions and email providers. During monitoring, the attackers were seen actively validating newly obtained credentials in near real time, suggesting rapid monetization through unauthorized access and resale on underground markets.
Based on Koi Security’s assessment, this is the first publicly known instance of malware being distributed directly from the official Microsoft Office Add-in Store and the first documented case of a malicious Outlook add-in leveraging this trusted ecosystem in real-world attacks.
Mitigating risks from malicious Office and Outlook add-ins
The AgreeTo add-in reportedly remained available in the Microsoft Office Add-in Store until 11 February 2026, when it was removed by Microsoft. Users and organizations that still have AgreeTo installed are strongly advised to uninstall it immediately, reset their Microsoft account passwords, enable multi-factor authentication (MFA) and review the security of linked services such as online banking, corporate email and cloud storage.
This incident underscores that even official extension marketplaces are not immune to supply-chain style abuse. Organizations should implement stricter controls around Office and Outlook add-ins, including centralized approval workflows, allowlists for trusted publishers, regular audits of installed extensions and user awareness training focused on identifying fraudulent login prompts.
Companies using Outlook and Microsoft 365 can significantly reduce exposure by combining conditional access policies, continuous sign-in monitoring, strong and enforced MFA, and centralized add-in management through Microsoft 365 admin tools. Reducing blind spots between the vendor’s ecosystem and internal security processes is essential to prevent seemingly “helpful” add-ins from becoming stealthy entry points for account takeover and data theft.
