Over 4,000 Microsoft accounts fell victim to "AgreeToSteal," a phishing campaign exploiting AgreeTo, an abandoned Outlook add-in still listed in Microsoft's store. Attackers hijacked an orphaned Vercel URL in the add-in's manifest, replacing legitimate content with a convincing fake login page that harvested credentials, credit card details, and banking information via Telegram's bot API. The breach exposed critical gaps in Microsoft's post-approval monitoring of third-party integrations—the add-in retained ReadWriteItem permissions throughout the attack. Security researchers recommend enabling multi-factor authentication immediately, and there's more to this supply chain vulnerability than meets the eye.
A long-abandoned Outlook add-in has quietly siphoned over 4,000 Microsoft account credentials in what security researchers are calling the first confirmed malicious attack of its kind targeting the productivity platform's third-party ecosystem.
The hijacked application, originally called AgreeTo, was a legitimate meeting scheduling tool that connected calendars and shared availability across teams. After its developer abandoned the project in December 2022, the add-in remained listed in the Microsoft Store with its 4.71-star rating intact, creating the perfect cover for what Koi Security researchers would later dub "AgreeToSteal."
Here's where things get particularly unsettling: the attacker never touched the add-in itself. Instead, they claimed an orphaned Vercel-hosted URL—outlook-one.vercel.app—that AgreeTo's manifest referenced for loading external resources. Office add-ins pull content dynamically from developer-controlled servers, and Microsoft's vetting process apparently stops after initial approval. No one checks what happens to those URLs afterward.
The threat actor replaced the legitimate content with a sophisticated phishing kit, complete with a convincing fake Microsoft login page, credential exfiltration scripts, and a redirect to the real authentication portal. When users opened Outlook, the compromised add-in loaded this fraudulent interface in a sidebar, mimicking the exact appearance of legitimate Microsoft prompts. Most victims probably didn't think twice.
The stolen data reads like an identity thief's wishlist. Beyond Microsoft account credentials, the attacker collected credit card numbers, CVVs, PINs, and banking security answers for Interac e-Transfer payments—a detail suggesting Canadian targets. Every victim's IP address was logged alongside their credentials, and researchers discovered the attacker actively testing stolen accounts during their investigation.
Exfiltration was brutally simple: everything went straight to the attacker via Telegram's bot API. No elaborate command-and-control infrastructure needed, just automated forwarding of phished data to a channel that researchers accessed, confirming the scale of the breach.
The add-in retained ReadWriteItem permissions, theoretically allowing email read and modify access across victims' mailboxes. Whether the attacker actually siphoned mailbox contents remains unconfirmed, but the architectural vulnerability is glaring. Microsoft removed the add-in immediately after notification, yet the damage exposes fundamental blind spots in their distribution model.
This attack vector mirrors supply chain compromises seen with browser extensions and npm packages, but targets potentially more sensitive territory—your work email, where implicit trust runs deep. The attacker behind AgreeToSteal operates at least twelve other phishing kits targeting banks, ISPs, and webmail providers, suggesting this wasn't opportunistic experimentation but calculated exploitation. The incident highlights a new vector in supply chain attacks that exploits the trust users place in Microsoft's distribution channels.
Microsoft's weak post-approval verification created an open door. The platform's URL-only distribution model means signed manifests from pre-hijack periods permit full resource loading indefinitely. Microsoft's initial review process only checks the manifest file for submission, failing to account for subsequent changes to external resources.
Security experts now recommend activating multi-factor authentication and reviewing account activity logs, though closing this systemic gap requires Microsoft to fundamentally rethink how it monitors third-party integrations after approval.
Final Thoughts
The recent breach affecting 4,000 Microsoft accounts due to a malicious Outlook add-in underscores significant flaws in Microsoft's app verification process. This vulnerability is particularly concerning for a platform relied upon by millions of enterprise users. The approval of such a harmful add-in points to necessary improvements in security measures. In light of this incident, it is essential for users to review their installed add-ins and revoke permissions for any that seem suspicious.
Ipswich Computer Repairs can assist businesses in auditing their add-ins and enhancing their overall security posture to prevent future breaches. Don't wait for another incident—take proactive steps to protect your data. Click on our contact us page to get in touch and ensure your systems are secure.