AgreeTo Malicious Outlook Add-In

Cybersecurity researchers have uncovered what is believed to be the first known malicious Microsoft Outlook add-in detected in the wild. The campaign, codenamed AgreeToSteal, represents a novel and troubling supply chain attack that abuses trust in Microsoft's Office add-in ecosystem.

In this incident, a threat actor hijacked the domain associated with an abandoned yet legitimate Outlook add-in. By repurposing the expired infrastructure, the attacker deployed a counterfeit Microsoft login page and successfully harvested more than 4,000 user credentials.

This discovery signals a new phase in marketplace-based supply chain threats, this time targeting enterprise productivity software at its core.

From Productivity Tool to Phishing Vector

The compromised add-in, known as AgreeTo, was originally developed to help users consolidate multiple calendars and share availability through email. It was last updated in December 2022.

Unlike traditional malware distribution campaigns, this attack did not involve exploiting a vulnerability in the codebase. Instead, it capitalized on a structural weakness in how Office add-ins function. Researchers classify this as a variation of previously observed attacks affecting browser extensions, npm packages, and IDE plugins, trusted distribution channels where approved content can later change without triggering scrutiny.

Office add-ins introduce heightened risk due to several compounding factors:

• They execute directly within Outlook, where highly sensitive communications are handled.
• They may request powerful permissions, including the ability to read and modify emails.
• They are distributed through Microsoft's official store, inheriting implicit user trust.

The AgreeTo case underscores a critical reality: the original developer did nothing malicious. A legitimate product was created and later abandoned. The attack exploited the gap between project abandonment and marketplace oversight.

Exploiting the Office Add-In Architecture

At the heart of the incident lies the design of Office add-ins. Developers submit their add-ins through Microsoft's Partner Center, where the solution undergoes review and approval. However, approval is largely tied to a manifest file, not a static code package.

Office add-ins differ fundamentally from conventional software. Rather than shipping bundled code, the manifest file specifies a URL. Each time the add-in is opened inside Outlook, the application retrieves live content from that URL and renders it within an iframe.

This architectural model introduces a critical exposure: once approved and signed, the add-in continues to load whatever content the referenced URL serves in real time. If control of that URL changes, due to domain expiration or infrastructure abandonment, malicious content can be introduced without modifying the signed manifest.

In the AgreeTo case, the manifest referenced a Vercel-hosted URL (outlook-one.vercel[.]app). After the developer's deployment was deleted and the project effectively became abandonware around 2023, the URL became claimable. An attacker seized control of it while the add-in remained listed in Microsoft's store.

As of reporting, the infrastructure remains active.

Phishing Execution and Credential Exfiltration

After claiming the abandoned deployment, the attacker hosted a phishing kit at the referenced URL. The malicious content displayed a fake Microsoft sign-in page designed to capture user credentials.

Captured passwords were exfiltrated using the Telegram Bot API. Victims were then redirected to the legitimate Microsoft login page, reducing suspicion and increasing the likelihood of successful credential theft.

While the observed activity focused on credential harvesting, researchers warn that the impact could have been significantly more severe. The add-in was configured with ReadWriteItem permissions, enabling the ability to read and modify user emails. A more aggressive threat actor could have deployed JavaScript capable of silently exfiltrating mailbox contents, creating a powerful espionage vector within enterprise environments.

A Marketplace Oversight Gap with Broader Implications

Microsoft reviews add-in manifests during the initial submission process, but there is no continuous validation of the live content served by the referenced URLs after approval. This creates a structural trust gap: the manifest is signed once, yet the remote content it references can change indefinitely.

The AgreeTo add-in was signed in December 2022. Although the original content was legitimate at the time of approval, the same URL now serves a phishing kit, and the add-in remains available in the store.

This issue extends beyond Microsoft's ecosystem. Any marketplace that approves a submission once without ongoing monitoring of remote dynamic dependencies is exposed to similar risks. The structural weakness is consistent across platforms: approve once, trust indefinitely.

Strategic Mitigations to Reduce Marketplace Risk

To address the systemic weaknesses exposed by AgreeToSteal, security experts recommend several countermeasures:

• Trigger automatic re-reviews when an add-in's referenced URL begins serving content that differs materially from what was originally reviewed.
• Implement domain ownership validation to confirm that infrastructure remains under the developer's control, and flag add-ins where hosting ownership changes.
• Establish mechanisms to delist or warn users about add-ins that have not been updated within defined timeframes.
• Display installation counts to help assess exposure and potential impact.

Continuous monitoring of live content, rather than relying solely on static manifest approval, is essential to mitigating supply chain risks in modern extension ecosystems.

A Wake-Up Call for Dynamic Dependency Trust Models

The AgreeToSteal campaign illustrates a fundamental challenge in contemporary software distribution models. Office add-ins, browser extensions, and similar marketplace-hosted tools frequently rely on remote, dynamically served content.

Without periodic rescanning and behavioral monitoring, trusted applications can silently evolve into attack vectors.

This case serves as a warning to platform operators and enterprise defenders alike: trust must be continuously validated, particularly when remote infrastructure and dynamic dependencies are involved.