Full Report
The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. [...]
Analysis Summary
# Incident Report: Hijacked Outlook Add-in Used as Phishing Kit
## Executive Summary
The legitimate "AgreeTo" Outlook add-in, hosted on the Microsoft Office Add-in Store since December 2022, was hijacked after the original developer abandoned its associated URL. A threat actor claimed this orphaned URL and repurposed the add-in source to host a sophisticated phishing kit targeting Microsoft accounts. This resulted in the theft of over 4,000 credentials, banking information, and security answers before Microsoft removed the malicious listing.
## Incident Details
- **Discovery Date:** Prior to February 11, 2026 (Date researchers accessed the exfiltration channel)
- **Incident Date:** Attack campaign was active leading up to discovery.
- **Affected Organization:** Microsoft (as platform host) and individual users of the AgreeTo add-in.
- **Sector:** Technology / Software as a Service (SaaS) / E-commerce enablement (Original function).
- **Geography:** Global (Affecting Microsoft users worldwide).
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime after the developer abandoned the project, allowing the URL to be claimed.
- **Vector:** Supply Chain Compromise / Orphaned URL Claim.
- **Details:** The original developer failed to manage the Vercel-hosted URL (`outlook-one[.]vercel[.]app`) associated with the approved AgreeTo add-in, allowing a threat actor to claim the unused domain endpoint.
### Lateral Movement
- Not explicitly detailed, as the attack focused on credential harvesting directly through the compromised client-side add-in interface. Privileges were inherent via the add-in permissions.
### Data Exfiltration/Impact
- **Details:** Attackers deployed a fake Microsoft sign-in page within the Outlook sidebar. Credentials entered here were immediately exfiltrated. Over 4,000 Microsoft account credentials, credit card numbers, and banking security answers were stolen.
### Detection & Response
- **How it was discovered:** Researchers at Koi Security discovered the compromise by investigating the add-in's live communication channels.
- **Response actions taken:** Koi researchers notified relevant parties, leading to the add-in's removal from the Microsoft Marketplace on the date of reporting (February 11, 2026).
## Attack Methodology
- **Initial Access:** Claiming an abandoned, pre-approved Vercel URL associated with an existing Marketplace application.
- **Persistence:** The malicious code was loaded from the attacker-controlled server every time the legitimate (but compromised) add-in was opened in Outlook.
- **Privilege Escalation:** Not applicable in the traditional sense; the add-in retained its pre-approved `ReadWriteItem` permissions, allowing potential email reading/modification (though no specific activity was confirmed).
- **Defense Evasion:** Utilizing an already-approved listing in the Microsoft Marketplace, bypassing continuous verification processes for subsequently loaded resources.
- **Credential Access:** Displaying a convincing fake Microsoft login prompt within the Outlook sidebar.
- **Discovery:** None required, as the malicious payload was delivered directly to the user interface.
- **Lateral Movement:** Not utilized; focus on direct harvesting from the client interface.
- **Collection:** Credentials entered on the fake login page were sent via an API to a Telegram bot used by the threat actor.
- **Exfiltration:** Exfiltration channel utilized a Telegram bot API.
- **Impact:** Theft of user credentials and sensitive financial/security details.
## Impact Assessment
- **Financial:** Potential significant financial loss for victims due to stolen credit card numbers and banking information.
- **Data Breach:** Over 4,000 Microsoft account credentials, credit card numbers, and answers to banking security questions.
- **Operational:** Minimal direct operational disruption to Microsoft or the organization hosting the add-in, but high impact on affected end-users.
- **Reputational:** Negative impact on user trust in the security of the Microsoft Office Add-in Marketplace, as this was reportedly the first malware found in the official store.
## Indicators of Compromise
- **Network indicators (Defanged):**
- Exfiltration endpoint utilized a **Telegram bot API**.
- Original infrastructure utilized `outlook-one[.]vercel[.]app`.
- **File indicators:** Not explicitly listed (payload was dynamic/web-based).
- **Behavioral indicators:**
- Display of a counterfeit Microsoft sign-in page within the Outlook sidebar interface.
- Redirection of users to the legitimate Microsoft login page post-phishing attempt to reduce suspicion.
## Response Actions
- **Containment measures:** Microsoft removed the malicious AgreeTo add-in from the official Marketplace upon notification.
- **Eradication steps:** Users were recommended to immediately uninstall the AgreeTo add-in.
- **Recovery actions:** Affected users must reset passwords for compromised Microsoft accounts and notify financial institutions regarding stolen card details.
## Lessons Learned
- The established review process for Microsoft Office Add-ins is insufficient to prevent malicious code injection *after* initial approval, provided the developer controls the external resource URL.
- Orphaned or abandoned commercial software listings on official marketplaces pose a significant and latent supply-chain risk.
- There is a critical gap in continuous verification processes for applications loading external content after initial approval.
## Recommendations
- Implement automated, regular re-verification scans for add-ins that load resources from external, unmanaged URLs.
- Establish a clear process for rapidly de-listing and auditing applications whose associated developer accounts or endpoint domains show signs of abandonment or change in ownership.
- Educate users that Outlook add-ins loading sensitive prompts directly in the sidebar should be treated with high scrutiny, even if sourced from an official marketplace.